aursec - blockchain-based verification of AUR packages
we are pleased to announce the release of aursec , a tool which aims
to improve the security of using the AUR.
We are writing it as part of our Bachelor's thesis.
It provides a secure hash database in a private Ethereum blockchain that
stores hashes for specific package versions.
The hash that was submitted from the most different users becomes the
consensus and can be queried and compared against.
The hash is formed from the PKGBUILD, install files and VCS sources,
thereby adding a layer of verification on top of that provided by the
hashes in the PKGBUILD.
The threat model  we defend against is targeted attacks against
specific AUR users, e.g. using a hostile takeover and subsequent
modification of an orphan package, that would be reverted and therefore
likely not noticed.
If the target used aursec, he would see that his package has a different
hash from what other users got.
Aursec takes a build folder containing a PKGBUILD and .SRCINFO and does
all the work automatically.
It calls makepkg --verifysrc in a firejail sandbox to download VCS
sources and find out the current version.
$find -type d ~/aur | aursec
We would greatly appreciate feedback on the threat model, solution, and
the usability of the tool itself.