On Sat, May 17, 2014 at 2:40 PM, Roland Tapken <ml@xxxxxxxxxxxxx> wrote: > Hi, > > I'm using arch for about half a year on a few systems, but every time I > install something from aur I'm asking myself one question: > > Why is it considered dangerous to run makepkg as root? > > My first guess was that the PKGBUILD usually comes from an untrusted source and > may contain code to attack my system (copy personal data or install a rootkit > or something like that). But on the other hand, this file tells makepkg how to > build the package that will be installed as root, so if the author of the > PKGBUILD has bad purposes he will just put that code into the created package. > > The second idea is that this advice should prevent the script from > *accidentally* damage my system. But this could be prevented by using fakeroot > (which is disabled when calling makepkg with --asroot according to the > manpage) or chroot. And actually the proper advice in this case should be to > execute makepkg using a user dedicated for this, as for most arch users it > would be worse if their personal file get deleted as if the system becomes > unbootable. > > Regards, > > Roland '--asroot' option has recently been removed. https://projects.archlinux.org/pacman.git/commit/?id=61ba5c961e4a3536c4bbf41edb348987a9993fdb
