On 5/29/26 1:09 AM, Mark Hegreberg wrote:
The expectation of the AUR is that users vet upstream software, and read the PKGBUILD, right? If you do this, none of the malicious packages I've seen would have affected you. I worry building any kind of fomal vetting or reputation system for aur packages will look like a defacto endorsement of the packages themselves, which i don't think we're trying to do.
I'd say yes and no, for people using the AUR as a vetted app store it wouldn't make any difference; but anyone else can simply miss a diff change if buried deep enough. Sure, a change in the source url or maintainer change might bring some suspicions but there's way many more ways to hide stuff.
Fermín.
