And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).
That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.
Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.
I just run paru when I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.
Of course, inspecting the PKGBUILDs still doesn’t protect us from having the actual software repositories compromised. Just because only the source hash changed doesn’t mean the software doesn’t have malware now.
That’s where I draw the line regarding trust. I don’t feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅
As in updating the AUR when you update your system packages, which come from known sources.
And just to be very explicit why this is an issue: each time the package is upgraded through an automated update, the PKGBUILD may change (e.g. to adapt to different dependencies, file structure, etc introduced with new app version).
That also means an AUR maintainer can smuggle in malware with any of those updates, even if you checked the original PKGBUiLD when you installed. And, anyone can request taking over maintenance for unmaintained packages, so it can even happen if the original maintainer was benevolent.
Always check PKGBUILD files on upgrade, even if just a glance. If I remember correctly yay had a function to always show you PKGBUILD diffs before updates, not sure if that was automatically enabled.
Paru shows you the diffs by default.
I just run
paruwhen I do system upgrades. Very convenient to have one command doing everything in a somewhat safe way.Of course, inspecting the PKGBUILDs still doesn’t protect us from having the actual software repositories compromised. Just because only the source hash changed doesn’t mean the software doesn’t have malware now.
That’s where I draw the line regarding trust. I don’t feel like going into to each release of each AUR package I have installed to check code to see if malware was injected. 😅