That's a pretty bad take no offence Mark, yes this is the Arh user repository where the user can read the pkgbuild code but there shouldn't be malicious packages there in the first place which is why it should have some better rules and regulations to avoid this while still remaining open and not controlling in nature.
corey On Fri, 29 May 2026, 2:10 pm Mark Hegreberg, <[email protected]> wrote: > The expectation of the AUR is that users vet upstream software, and read > the PKGBUILD, right? If you do this, none of the malicious packages I've > seen would have affected you. > I worry building any kind of fomal vetting or reputation system for aur > packages will look like a defacto endorsement of the packages themselves, > which i don't think we're trying to do. > > Correct me if I'm missing something, but I dont see the value in anything > past letting your AUR helper show you diffs, which the ones I've used all > do. Anything else we do raises the barrier for community AUR > contributions, and won't provide meaningful warranty or security. > Mark >
