> > From: Corey Bruce <[email protected]>
> > Sent: Friday, May 29, 2026 3:01 AM
> > That's a pretty bad take no offence Mark, yes this is the Arh user
> > repository where the user can read the pkgbuild code but there
> > shouldn't be malicious packages there in the first place which is why
> > it should have some better rules and regulations to avoid this while
> > still remaining open and not controlling in nature.
>>
> On Fri, 29 May 2026, 2:10 pm Mark Hegreberg, <[email protected]
> <mailto:[email protected]> > wrote:
> The expectation of the AUR is that users vet upstream software, and
> read the PKGBUILD, right? If you do this, none of the malicious
> packages I've seen would have affected you.
I agree with Mark. There is, and always has been, a risk in using software from
the AUR. There is a big pink box at the top of the wiki page warning you. It
seems like the current system has been working. Someone sees something
suspicous, it is reported and acted on in a timely manner. If someone wants to
use some AI LLM to screen software downloaded from the AUR, they can
implement that themselves on there own machine. Someone could even write
such a program and submit it to the AUR for others to use if they so desired.
Just my 2 cents, make of it what you will.
Paul
