Comment by ptx
7 days ago
> For every single update, for all your AUR packages, all the time.
Yes, that's what I used to do when I ran Arch. It's usually easy. The PKGBUILD is usually small to begin with and the difference for a new version should normally be something like the URL and the version number and not much else, so you can just diff it against the old version.
paru presents all pkgbuild diffs to you before installing, that's what I use to read them.
I usually only use AUR to install trusted pre-compiled binary packages, the scripts are very simple and the only thing that should ever change is the url and the sha256
Yea, paru makes it really easy, i noticed the diffs are a little easier/different versus yay. Not sure though if it's a config setting, haven't figured out the details yet.
Also paru shows you coloured code syntax if you have `bat` installed, i think.
I do it too, but I can see why this can be a problem for users. There should be an "official" scan for potentially malicious changes. I use a third party AUR scanner to help me with this.
What third party scanner do you use?
https://github.com/Sohimaster/traur