On Sun, 25 Mar 2018 13:53:59 -0700, Jimi Bove wrote: >At least as far as I know (maybe yaourt's fixed this by now, too), >running `yaourt -Si` on an AUR package results in the PKGBUILD being >sourced, allowing malicious code to be executed if it's in there. And >also as far as I know, that's the only flaw in yaourt, besides >extremely minor ones like how it handles split packages and tmpfs, and >ones that are just a feature it's missing that another AUR helper has. Yes, I forgot about the split packages. An inexperienced user unfortunately would build a split package two times instead of one time. Not really an issue. I guess a real issue when yaourt is used by an inexperienced user, is the lexical order updated packages are build. If package "a" depends on package "b", we need to build "b" before we build "a", but yaourt would build "a" at first.
