On Sat, May 17, 2014 at 5:40 AM, Roland Tapken <ml@xxxxxxxxxxxxx> wrote: > My first guess was that the PKGBUILD usually comes from an untrusted source and > may contain code to attack my system (copy personal data or install a rootkit > or something like that). I think that the point isn't that you're not supposed to run makepkg as root to protect against *malicious* packages, but rather to protect aganst *badly written* ones. There are of course many ways that a malicious package could get around that to hose your system, but a simple badly written package that spews files directly into /usr instead of into $pkgdir is easily thwarted by not having the permissions necessary to do so. Regards, ~Celti
