> > The problem is that namcap's implementation is not meant for untrusted > PKGBUILDs. Sourcing those build files is a big security flaw, so we > can't do that for the AUR. >
We can create minimal chroot with bash and namcap only. It would require changes to the infrastructure but it could improve the PKGBUILDs in AUR a lot. Here's how it could work: * user uploads tarball with a package to AUR, the tarball is moved to the "staging area". * uploader can see his/her (I wonder how many girls are here :-)) package in AUR interface immediately – this is mostly to prevent consecutive uploads of the same package. Other users can't see it until it's checked by namcap. * create the chroot and check the package using namcap. then of course clean the chroot * if there are errors in the package send email/other notification to the uploader. Otherwise the package is made available to public. -> it could be interesting to made namcap results available too. The package "Package Details" could include namcap log somewhere.
