• Flaky@iusearchlinux.fyi
      link
      fedilink
      English
      arrow-up
      2
      ·
      edit-2
      8 months ago

      Agreed. There has been cases of malware sneaking its way into the AUR.

      Now it could be avoided by checking PKGBUILDs and I can trust that the reader is checking those (are you, reader? 🤨). But do you have that trust for every user?

      I prefer Void Linux’s way of handling packages, where it all goes through one ultimately trusted git repo that gets packaged up if the license allows it, otherwise using xbps-src. If it was a bit less DIY compared to Arch I’d be hopping onto it tbh.