traur is a security tool that scores AUR packages based on trust signals. However, the binary releases currently distributed via AUR lack the very signals that traur itself would flag as suspicious in other packages.
Current State
Why This Matters
A security tool has a higher trust bar than a regular package. Users must grant traur execution rights before every install transaction.
If the binary cannot be verified against the source, the tool introduces the exact attack surface it is designed to detect.
This is not hypothetical — the xz-utils backdoor (2024) was injected into release tarbytes, not the git source. A local build pipeline offers no protection against this class of attack.
Suggested Fix
Two valid paths forward:
Option 1 — Remove binary releases entirely
- Only publish source. Let users build via:
cargo build --release
- Many large FOSS projects (Linux kernel, PostgreSQL, Git upstream) follow this model. It is a legitimate and respected choice.
Option 2 — Full transparent release pipeline
- Add
.github/workflows/release.yml that builds on tag push
- Attach GPG-signed
sha256sums.txt to every GitHub Release
- Consider SLSA provenance attestation (
slsa-github-generator)
- Document the release process in CONTRIBUTING.md
GitHub Actions is free for public repositories. Option 2 setup takes under an hour for a Rust project of this size.
References
traur is a security tool that scores AUR packages based on trust signals. However, the binary releases currently distributed via AUR lack the very signals that traur itself would flag as suspicious in other packages.
Current State
Why This Matters
A security tool has a higher trust bar than a regular package. Users must grant traur execution rights before every install transaction.
If the binary cannot be verified against the source, the tool introduces the exact attack surface it is designed to detect.
This is not hypothetical — the xz-utils backdoor (2024) was injected into release tarbytes, not the git source. A local build pipeline offers no protection against this class of attack.
Suggested Fix
Two valid paths forward:
Option 1 — Remove binary releases entirely
cargo build --releaseOption 2 — Full transparent release pipeline
.github/workflows/release.ymlthat builds on tag pushsha256sums.txtto every GitHub Releaseslsa-github-generator)GitHub Actions is free for public repositories. Option 2 setup takes under an hour for a Rust project of this size.
References