duncaen [1] filed a deletion request for opendoas-bin [2]:

This is a forked version of the community/opendoas package.

There are a number of issues:
* This could give the false impression that its the same project as
community/opendoas, the description is the same.
* They added a flag that accepts a password, which leaks the password
to anyone reading /proc/*/cmdline.
* This is a binary package for a setuid binary (from an untrusted
source), I only verified the "source", there is no guarantee that it
doesn't add more malicious code.

[1] https://aur.archlinux.org/account/duncaen/
[2] https://aur.archlinux.org/pkgbase/opendoas-bin/

Reply via email to