How am I supposed to inspect a PKGBUILD?

Question

With AUR, you are expected to manually verify the PKGBUILD file and install scripts.

What/how are you supposed to actually do this? What are some red flags to look for, what are common things done by legitimate packages that are "okay"?

Often the packages I look at download some scripts or archives, then run stuff inside them. The PKGBUILD itself doesn't seem to be doing anything bad, but it's curling an archive with hundreds of files and then running them. Most AUR tools don't even have a way of looking at anything besides the PKGBUILD and install script, and expect you to make a decision based on just those. Am I supposed to hunt down the downloaded files, spend hours (or days) reading all the code (which likely exceeds my own programming knowledge) and then come back and "decide" to install the AUR package?

Answer 1

PKGBUILDs are just bash scripts. They are designed to be readable.

The Arch Wiki has a guide to the different functions, and what you should expect to see in each.

Odd variations here, particularly in the prepare or install functions should be scrutinised carefully. The removal of files, or installations that touch $HOME or $PATHshould be treated with suspicion and fully investigated.

These include validpgpkeys, and integrity checksums, which ensures that the source you download is valid. Makepkg will warn you if either of these fail, that would be a huge red flag to not proceed.

You can also read the Arch Packaging standards to understand how PKGBUILDs should be created.

As for the actual upstream source, assuming it is valid, that is a call only you can make. There is malicious software in the wild, but the Trusted Users do an excellent job of keeping it from the AUR. If you are using PKGBUILDs from other sources, then you are on your own.

There are also PKGBUILDs that are broken through packager error that can have catastrophic consequences. It therefore makes sense to read them, wherever possible, before running them.