On Fri, Jul 10, 2009 at 11:39 AM, Alessandro Doro<ordo...@gmail.com> wrote: > ¹ Really theoretical, assuming that the user: > · read the PKGBUILD, > · trust the package source.
Yeah... I think I'd be somewhat suspicious if I saw a PKGBUILD calling sudo. sudo -k wouldn't be very effective either. What if I run sudo elsewhere on my system during the build process, the hole is open again. As long as you're running an untrusted script on your system, there's infinitely many other possibilities. An rm -rf ~/* is pretty damaging and doesn't need sudo. Allesandro is spot on. James
