





















I agree with you here. Reading the phrase "Even careful, security-minded people are unlikely to review every single update to a PKGBUILD" made me want to wave my hand in the air and yell, "That's me! I do review every update!"
It's so frustrating because the practice of blindly installing from the AUR is so obviously a bad idea, so clearly documented as something you shouldn't do, and so thoroughly unsupported by the official Arch project, but clearly a common practice anyway. It's a case of "this is why we can't have nice things", and I'll be really frustrated if the AUR has to be constrained or shut down because people can't use it responsibly.
Unfortunately, I don't know the answer. You can't simply admonish people to " be responsible". The Arch project tries to communicate the nature of the AUR by refusing to make it easy to use (the canonical procedure is "git clone, review, and build manually"), but you can't stop people from automating away that barrier, at which point people get told to "just use a helper".
An education campaign? After all, that might happen on it's own eventually, if a suitably big attack occurs and the misguided "just use a helper" advice turns into misguided "the AUR is full of malware" advice.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。