On Wed, 17 Jun 2026, at 18:58, Shawn Michaels wrote:
> I review all PKGBUILDs upon installation. But I don't expect them to 
> suddenly become malicious (and apparently I should).

Until we, as the AUR community, lift our game in terms of what we require for 
packages to be on the AUR, you're sadly absolutely right.

Arch Linux constantly distances itself from the AUR as being community 
maintained. 

So it's up to us, the contributors and up-until-now-lurkers of this list.

We CAN lift our game. The bar is so low it's barely off the floor.

We can't make the AUR safe, but we can make it safer.

It would likely only take three Package Maintainers to agree that 
http://aur.archlinux.org be updated to include a one liner for initial 
screening.  Or even to mention the issue at all and that we're discussing it, 
and have so far responded by blocking new user accounts.

Then a link to a markdown page (infra already exists), editable by trusted 
users only (wiki can be edited by almost anyone) on what to do on receiving a 
positive detection.

One website change. One markdown page.

Arch Linux won't help us. Not their problem.  We can choose to make the quality 
of contributions OUR problem.

We need to, as a community that cares for the users of what we produce, stand 
behind producing best practice guides and tooling to protect users from 
PKGBUILDs produced by those who don't.

The name of the game is self-organisation.  Artifacts reviewed and signed off 
by PMs - users who are already inherently trusted, served from an 
aur.archlinux.org domain.

No one true way.  But more than zero "AUR official" way(s) that leaders of our 
community say "we vouch for this."

Signing off with care for this list's community, and for the larger, far less 
educated community that uses what will be attributed to us, even though not 
created by us,

-- 
Tom Hale 

Reply via email to