Hi, I'm using arch for about half a year on a few systems, but every time I install something from aur I'm asking myself one question: Why is it considered dangerous to run makepkg as root? My first guess was that the PKGBUILD usually comes from an untrusted source and may contain code to attack my system (copy personal data or install a rootkit or something like that). But on the other hand, this file tells makepkg how to build the package that will be installed as root, so if the author of the PKGBUILD has bad purposes he will just put that code into the created package. The second idea is that this advice should prevent the script from *accidentally* damage my system. But this could be prevented by using fakeroot (which is disabled when calling makepkg with --asroot according to the manpage) or chroot. And actually the proper advice in this case should be to execute makepkg using a user dedicated for this, as for most arch users it would be worse if their personal file get deleted as if the system becomes unbootable. Regards, Roland
Attachment:
signature.asc
Description: This is a digitally signed message part.
