AUR AI Reviewer

Review Results

Version #502 of ungoogled-chromium · commit 52726762c589 · status Reviewed

Risk 0/5 · Safe .SRCINFO
Result #5

Comment

The only change in this .SRCINFO hunk is a version bump from 150.0.7871.46 to 150.0.7871.100. No sources, checksums, build logic, install scripts, permissions, or package metadata beyond pkgver were altered in the reviewed diff. On its face this is a routine upstream version update with no security red flags in the provided change.

@@ -1,6 +1,6 @@
 pkgbase = ungoogled-chromium
 	pkgdesc = A lightweight approach to removing Google web service dependency
-	pkgver = 150.0.7871.46
+	pkgver = 150.0.7871.100
 	pkgrel = 1
 	url = https://github.com/ungoogled-software/ungoogled-chromium
 	arch = x86_64
Risk 1/5 · Low .SRCINFO
Result #6

Comment

The .SRCINFO change itself is low risk. It updates the package version and adds makedepends needed by the new build flow: python-httplib2, python-pyparsing, python-six, npm, and rsync. I checked the corresponding PKGBUILD and the new dependency on fetch-chromium-release is consistent with the existing prepare() logic, which now fetches Chromium via a helper script and runs update_npm_deps. There is no evidence in this diff of malicious install-time behavior, privilege escalation, or suspicious external sources beyond the expected Chromium/ungoogled-chromium upstream URLs. The main security consideration is that adding npm and a network-fetching helper increases build-time supply-chain exposure, but that is already reflected in the package’s build process and is not inherently malicious in this change.

@@ -19,6 +19,11 @@ pkgbase = ungoogled-chromium
 	makedepends = qt6-base
 	makedepends = rust-bindgen
 	makedepends = rust
+	makedepends = python-httplib2
+	makedepends = python-pyparsing
+	makedepends = python-six
+	makedepends = npm
+	makedepends = rsync
 	depends = alsa-lib
 	depends = at-spi2-core
 	depends = cairo
Risk 0/5 · Safe .SRCINFO
Result #7

Comment

The change updates the package metadata to a newer Chromium release and replaces the direct upstream Chromium tarball URL with a `fetch-chromium-release` source helper plus a matching ungoogled-chromium release archive. The new source is still HTTPS and points to the expected upstream project, with no added install scripts, binaries, or privilege-related metadata in this hunk. I do not see evidence in this diff alone of a supply-chain or persistence issue. Risk is low, though the new helper source should be checked in the actual PKGBUILD for how it fetches artifacts at build time.

@@ -76,13 +81,13 @@ pkgbase = ungoogled-chromium
 	optdepends = qt6-base: Qt support
 	optdepends = org.freedesktop.secrets: password storage backend on GNOME, KDE and Xfce
 	optdepends = upower: Battery Status API support
-	provides = chromium=150.0.7871.46
-	provides = chromedriver=150.0.7871.46
+	provides = chromium=150.0.7871.100
+	provides = chromedriver=150.0.7871.100
 	conflicts = chromium
 	conflicts = chromedriver
 	options = !lto
-	source = https://commondatastorage.googleapis.com/chromium-browser-official/chromium-150.0.7871.46-lite.tar.xz
-	source = ungoogled-chromium-150.0.7871.46-1.tar.gz::https://github.com/ungoogled-software/ungoogled-chromium/archive/150.0.7871.46-1.tar.gz
+	source = fetch-chromium-release
+	source = ungoogled-chromium-150.0.7871.100-1.tar.gz::https://github.com/ungoogled-software/ungoogled-chromium/archive/150.0.7871.100-1.tar.gz
 	source = https://github.com/foutrelis/chromium-launcher/archive/v8/chromium-launcher-8.tar.gz
 	source = chromium-138-nodejs-version-check.patch
 	source = chromium-145-fix-SYS_SECCOMP.patch
Risk 0/5 · Safe .SRCINFO
Result #8

Comment

The change only updates two SHA-256 checksums in .SRCINFO for existing source entries (patch files). There is no evidence in the provided diff of new sources, network fetches, execution, privilege changes, or packaging behavior changes. This appears to be a metadata refresh to match updated patch contents, which is low risk on its own. I did not see any red flags in the hunk itself.

@@ -99,8 +104,8 @@ pkgbase = ungoogled-chromium
 	source = enable-widevine-arm64.patch
 	source = use-oauth2-client-switches-as-default.patch
 	source = glibc-2.42-baud-rate-fix.patch
-	sha256sums = e2654fa7c37ddc20af98f91089ad580e347ca9c526f8de8e625fe1b1cf3d98c6
-	sha256sums = eb5980e266f8b8a7767d9657664e678938d091b5bf36c67c46f6a49d88aba2a5
+	sha256sums = 2e2f36e3cd1ebc4ad57fd310774a5e5e9db77883d5f9374fedeaabd3c103b819
+	sha256sums = 891db0f063c012036a95619c35526881e2d02ef8a3735054ce62cf7a1fd74326
 	sha256sums = 213e50f48b67feb4441078d50b0fd431df34323be15be97c55302d3fdac4483a
 	sha256sums = 11a96ffa21448ec4c63dd5c8d6795a1998d8e5cd5a689d91aea4d2bdd13fb06e
 	sha256sums = 4fc040a0656a0a524dd8ad090cd129fc5b6cb21adcc66be82080165789e8c13e
Risk 0/5 · Safe PKGBUILD
Result #9

Comment

The diff only bumps the package version from 150.0.7871.46 to 150.0.7871.100 and flips _manual_clone from 0 to 1, with the corresponding ungoogled-chromium version variable updated. In the provided hunk there are no new sources, no added build commands, no install-script changes, and no privilege/network/persistence red flags. The _manual_clone flag change may affect how sources are obtained, but that behavior is not visible in this hunk and cannot be judged as malicious from the diff alone. Overall this looks like a routine version/update metadata change with low security risk.

@@ -11,14 +11,14 @@
 # Contributor: Daniel J Griffiths <ghost1227@archlinux.us>
 
 pkgname=ungoogled-chromium
-pkgver=150.0.7871.46
+pkgver=150.0.7871.100
 pkgrel=1
 _launcher_ver=8
-_manual_clone=0
+_manual_clone=1
 _system_clang=1
 # ungoogled chromium variables
 _uc_usr=ungoogled-software
-_uc_ver=150.0.7871.46-1
+_uc_ver=150.0.7871.100-1
 pkgdesc="A lightweight approach to removing Google web service dependency"
 arch=('x86_64')
 url="https://github.com/ungoogled-software/ungoogled-chromium"
Risk 0/5 · Safe PKGBUILD
Result #10

Comment

The change only updates the SHA-256 checksum for one existing source patch in PKGBUILD. I did not see any new source URLs, build-time downloads, privilege changes, install-script changes, or packaging logic changes in the provided hunk. This is a low-risk integrity metadata update, assuming the referenced patch content itself is unchanged and still comes from the same local source list.

@@ -105,7 +105,7 @@ source=(https://commondatastorage.googleapis.com/chromium-browser-official/chrom
         use-oauth2-client-switches-as-default.patch
         glibc-2.42-baud-rate-fix.patch)
 sha256sums=('e2654fa7c37ddc20af98f91089ad580e347ca9c526f8de8e625fe1b1cf3d98c6'
-            'eb5980e266f8b8a7767d9657664e678938d091b5bf36c67c46f6a49d88aba2a5'
+            '891db0f063c012036a95619c35526881e2d02ef8a3735054ce62cf7a1fd74326'
             '213e50f48b67feb4441078d50b0fd431df34323be15be97c55302d3fdac4483a'
             '11a96ffa21448ec4c63dd5c8d6795a1998d8e5cd5a689d91aea4d2bdd13fb06e'
             '4fc040a0656a0a524dd8ad090cd129fc5b6cb21adcc66be82080165789e8c13e'