• just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    26 days ago

    They should have some sort of static code scanners on the repos at rest at this point that look for certain patterns and issue warnings.

    • deadcade@lemmy.deadca.de
      link
      fedilink
      English
      arrow-up
      5
      ·
      26 days ago

      Since this installed a malicious dependency from NPM (and later with bunjs) in the pre install script, it would need at least complex correlation to catch. Maybe building and installing all AUR packages, which would cost far too much for the Arch team.

      Individually and automatically scanning only the PKGBUILDs (the stuff actually on the AUR) would likely not have caught this.

      That doesn’t mean it’s a bad idea to run a basic scan over every change, but it wouldn’t magically “fix” aur malware.

      • just_another_person@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        26 days ago

        It’s enough to build a pattern match and scan against it being elsewhere. Surely they did at least much to find all these packages with malware.