On Tue, Apr 23, 2013 at 1:10 PM, Mark E. Lee <mark@xxxxxxxxxxxx> wrote: > While building packages on the AUR, I was wondering that except for > manual user intervention (by reading the code), I didn't have any other > methods of knowing if a package had malware or viruses. Hence, I was > wondering if virus scanning via clamav should be called before pacman > installs packages. > > -- > Mark E. Lee <mark@xxxxxxxxxxxx> The PKGBUILD itself is a bash script. If you're running them without reading the code and checking that the sources are from an upstream you trust, you're gonna have a bad time. There are plenty of packages in the AUR that touch outside of $pkgdir - but most seem to be beginner mistakes in good faith. ClamAV pretty much just detects very common win32 viruses, because it's used on mail servers to *reduce* the number of spread viruses. If you really feel like scanning the package contents after you've already trusted the PKGBUILD and build scripts, just don't use makepkg -i.
