On Wed, 17 Jun 2026, at 18:58, Shawn Michaels wrote: > I review all PKGBUILDs upon installation. But I don't expect them to > suddenly become malicious (and apparently I should).
Until we, as the AUR community, lift our game in terms of what we require for packages to be on the AUR, you're sadly absolutely right. Arch Linux constantly distances itself from the AUR as being community maintained. So it's up to us, the contributors and up-until-now-lurkers of this list. We CAN lift our game. The bar is so low it's barely off the floor. We can't make the AUR safe, but we can make it safer. It would likely only take three Package Maintainers to agree that http://aur.archlinux.org be updated to include a one liner for initial screening. Or even to mention the issue at all and that we're discussing it, and have so far responded by blocking new user accounts. Then a link to a markdown page (infra already exists), editable by trusted users only (wiki can be edited by almost anyone) on what to do on receiving a positive detection. One website change. One markdown page. Arch Linux won't help us. Not their problem. We can choose to make the quality of contributions OUR problem. We need to, as a community that cares for the users of what we produce, stand behind producing best practice guides and tooling to protect users from PKGBUILDs produced by those who don't. The name of the game is self-organisation. Artifacts reviewed and signed off by PMs - users who are already inherently trusted, served from an aur.archlinux.org domain. No one true way. But more than zero "AUR official" way(s) that leaders of our community say "we vouch for this." Signing off with care for this list's community, and for the larger, far less educated community that uses what will be attributed to us, even though not created by us, -- Tom Hale
