Agreed. There has been cases of malware sneaking its way into the AUR.
Now it could be avoided by checking PKGBUILDs and I can trust that the reader is checking those (are you, reader? 🤨). But do you have that trust for every user?
I prefer Void Linux’s way of handling packages, where it all goes through one ultimately trusted git repo that gets packaged up if the license allows it, otherwise using xbps-src. If it was a bit less DIY compared to Arch I’d be hopping onto it tbh.
AUR my beloved
I love the AUR as much as the next guy, but audited, it ain’t.
Mixed bag
Agreed. There has been cases of malware sneaking its way into the AUR.
Now it could be avoided by checking PKGBUILDs and I can trust that the reader is checking those (are you, reader? 🤨). But do you have that trust for every user?
I prefer Void Linux’s way of handling packages, where it all goes through one ultimately trusted git repo that gets packaged up if the license allows it, otherwise using
xbps-src. If it was a bit less DIY compared to Arch I’d be hopping onto it tbh.the AUR and wiki are the only reasons i use arch
See Fedora has COPR which is like AUR if it were a version specific dead mall which 50% of the time makes you compile from source anyway lol