• Flaky@iusearchlinux.fyi
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    8 months ago

    Agreed. There has been cases of malware sneaking its way into the AUR.

    Now it could be avoided by checking PKGBUILDs and I can trust that the reader is checking those (are you, reader? 🤨). But do you have that trust for every user?

    I prefer Void Linux’s way of handling packages, where it all goes through one ultimately trusted git repo that gets packaged up if the license allows it, otherwise using xbps-src. If it was a bit less DIY compared to Arch I’d be hopping onto it tbh.