Cachy’s new package manager, Shelly, which is awesome, BTW (writing about arch or derivatives without using BTW is against the law, remember.) does checks on AUR packages when installing or updating. Zoey rocks!
Could you explain how Shelly does checks on AUR packages? I can’t find where it mentions doing so on its website, and even in its documentation is says:
Enable AUR - Allows access to the AUR download features, these packages are managed by individual users so access at your own risk
How does Shelly make using the AUR safe for people who do are not able to effectively investigate the install scripts themselves?
Seems like it’s certainly better than nothing, but I’m unsure if the 1500 infected packages in the AUR would’ve been flagged by this, depending on how the malware was introduced. Even with Shelly, I probably wouldn’t recommend most people use the AUR until more protections are put in place by the Arch team.
Cachy’s new package manager, Shelly, which is awesome, BTW (writing about arch or derivatives without using BTW is against the law, remember.) does checks on AUR packages when installing or updating. Zoey rocks!
Could you explain how Shelly does checks on AUR packages? I can’t find where it mentions doing so on its website, and even in its documentation is says:
How does Shelly make using the AUR safe for people who do are not able to effectively investigate the install scripts themselves?
I don’t know how it’s done, but here is a screencap of an update today:
Thanks for that! I was able to find a page that details what it checks for:
https://www.seafoam-labs.org/shelly-alpm/docs/security/
Seems like it’s certainly better than nothing, but I’m unsure if the 1500 infected packages in the AUR would’ve been flagged by this, depending on how the malware was introduced. Even with Shelly, I probably wouldn’t recommend most people use the AUR until more protections are put in place by the Arch team.