Does this work? I would think scanning a *.package would only assess that content. Wouldn’t something malicious likely be in the code or dependency it could call via some form of get request? That .deb package itself could be completely “safe” until it calls a git clone <URL> to then run something malicious.
I think this would be more likely to work for appimage or flatpak, though the same approach could compromise the validity of the scan. Am I thinking too hard, or did I just miss the point?
Does this work? I would think scanning a *.package would only assess that content. Wouldn’t something malicious likely be in the code or dependency it could call via some form of get request? That .deb package itself could be completely “safe” until it calls a git clone <URL> to then run something malicious.
I think this would be more likely to work for appimage or flatpak, though the same approach could compromise the validity of the scan. Am I thinking too hard, or did I just miss the point?