



















I, for one, use an AUR helper that leverages Git to allow me to review exactly what changed in a given update. Most of the time it's just a version number and a file hash, sometimes the change is more substantial and a more careful review is needed; if I'd see obfuscated code, downloads from strange URLs or, in this case, unexpected post-install scripts that run 'npm install', or anything else even remotely suspicious, I wouldn't run the build. So far this has happened zero times to me.
It's not fail-safe, of course, and I can't review all of the code that is actually getting built, but if more people would use the AUR in this way, we'd have a much better chance of catching attacks like these.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。