How to Review an AUR Package
4 days ago
- #PKGBUILD
- #AUR
- #Arch Linux
- The Arch Linux team was notified of three AUR packages containing malware on July 18th, 2025.
- The AUR (Arch User Repository) is a collection of user-created packaging scripts (PKGBUILDs) for Arch Linux.
- PKGBUILDs are bash scripts that define how to build a package, including metadata like pkgname, pkgver, and pkgdesc.
- PKGBUILDs include build functions: prepare(), build(), check(), and package(), which handle different stages of the packaging process.
- When reviewing a PKGBUILD, check the sources array to ensure they are from trusted upstream projects and verify patches.
- Ensure build steps make sense, avoid downloads in build(), check(), or package(), and scrutinize any install scripts or pacman hooks.
- If a PKGBUILD is suspicious, ask for help in the #archlinux-aur IRC channel, forums, or mailing list.
- The AUR is based on trust and may need improvements, such as a pull-request system, but it remains a valuable resource for Arch Linux users.