Comment by Tharre
7 days ago
> If a PKGBUILD is running a command to download something not listed in source, that's a sign that something nefarious could be happening, and such a PKGBUILD absolutely requires careful human review.
First, although I don't disagree with that being how it should work, in a world where everyone relies on npm, cargo, etc. to handle dependencies this scenario is not realistic.
Second and more importantly, it doesn't really change much if it's listed in the sources or not. You can patch a startup file to download something as soon as the program is executed, including checks if it's currently running in a virtual environment. You cannot statically detect that the PKGBUILD contains something like that, antivirus software has been trying to do just that for decades and their detection is still basically useless.
> A less than 100% reliable mechanism sure beats the current situation which is "wait for users report on the forum that they have been pwn3d".
The current situation is users are expected to review PKGBUILDs before they install them. And you're ignoring that implementing any mechanism has a cost. I don't know if it's worth it or not, but it's not unrealistic that it would be a ton of effort for no barely any gain.
> in a world where everyone relies on npm, cargo, etc.
Only certain niches do. No Debian package can connect to the Internet while being built, and the Debian Archive contains vast amounts of software that makes a computer useful.
Reliance on npm, cargo, etc. makes it harder to package certain things, but in general they're the exception rather than the rule.