From d7f5eb1fe5e05b4cf48f40a3b1957d2deb9232b1 Mon Sep 17 00:00:00 2001
From: Stephen Seo <seo.disparate@gmail.com>
Date: Thu, 4 Apr 2024 11:30:19 +0900
Subject: [PATCH] Update README.md

Add note about security.
---
 README.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/README.md b/README.md
index f1ab1de..eda7fbc 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,18 @@ define hooks that are run when the package is installed.
 
 # Things to know before using the helper
 
+## Security
+
+Apparently `makechrootpkg` (provided by `devtools` pkg and used by this script)
+sources PKGBUILD files directly, meaning that if a malicious PKGBUILD is
+attempted to be built, it may cause an RCE kind of exploit with the current
+user. Thus, it is recommended to run this script in a container (like Docker or
+LXC) so that even if a malicious PKGBUILD is sourced, it will only affect the
+container. Though if you do set up a container, you may have to set up a
+directory mount to access the built packages.
+
+## Soft-lock due to multiple possible dependencies
+
 Sometimes if a package prompts a user to select between alternate package
 dependencies, makechrootpkg will fail to select one by default (it will
 constantly output "y" to stdin when a selection requires an integer). This