A new open-source tool, traur, written in Rust, has emerged for Arch users, aiming to improve security awareness in Arch Linux’s user-maintained software ecosystem by introducing automated trust scoring for AUR packages.
Traur analyzes installed or selected AUR packages and issues risk signals based on their build scripts, metadata, and past behavior. The main goal is to bring benefit to the Arch community by helping users decide how much to trust an AUR package before installing or updating it, all without running any code. And I can say that this is especially useful after several AUR packages were compromised last year.
Sounds good, but I’ll need somebody else to audit Traur itself first ;)
Looks like it was vibe coded so there’s some good reason to be cautious
It’s laughable before you even get to the code. You know, doing “eval bad” when all the build scripts are written in bash 🤣
There is also no protection for VCS sources (assuming no revision hash is specified) in makepkg (no “locking” with content hash stored). So, if an AUR package maintainer is malicious, they can push whatever they want from the source side. They actually can do that in any case obviously. But with VCS sources, they can do it at any moment transparently. In other words, your primary concern should be knowing the sources are coming from a trustable upstream (and hoping no xz-like fiasco is taking place). Checking if the PLGBUILD/install files are not fishy is the easier part (and should be done by a human). And if you’re using AUR packages to the extent where this is somehow a daunting time-consuming task, then there is something wrong with you in any case.
Edit: That is not to say the author of the tool wouldn’t just fit right in with security theater crowd. Hell, some of them even created whole businesses using not too dissimilar theater components.
@kadu@scribe.disroot.org