Comment by OJFord

2 days ago

`yay` (one such wrapper) shows me the PKGBUILD diff on every update. The first time I install something I verify the URL, and check any install script etc. seems sensible; the vast majority of subsequent updates are changes to just version number & checksum. A typosquat attack would be very obvious.

(It's a bit vulnerable to it on first install, but so is 'just navigate to the project website [and click download]'.)

6 comments

OJFord

anthonj 2 days ago

But it's one middle man less.

Git repo have been attacked other times in the past, but a 500/1000 stars project still sounds more trustworthy than a user repository managed by randos with a couple of upvotes. I still use the aur for simple cases, but when I see aur packages depending on multiple other aur packages I immediately leave.

feelamee 1 day ago

and how many of others do the same? At least I'm not.. Happily I have only a few aur packages

cromka 1 day ago

Does it also show each patch involved?

OJFord 1 day ago

It shows the overall diff since last update, not patch-wise. But it does show any extra patch file, install script, etc. – not just the PKGBUILD – if that's what you meant.
gpm 1 day ago
The manager I use (paru) does, I'd be surprised if yay doesn't.
- Charon77 1 day ago
  
  It does, but there's a y/n question of whether you want to see the patch