It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.
It’s just a repository of user-contributed packages. It’s no different malware-ability-wise to, say, GitHub. If you are running code you found from a stranger on the internet then you are liable for it, and you need to do your due diligence in checking that you are not running malware. It is a good thing that the AUR exists because it means Arch user packages are all in one centralised repository instead of scattered across GitHub, Sourceforge, Codeberg, Pastebin, forums, whatever. If you are just installing random AUR packages then that’s on you. It’s basic internet safety to not automatically trust random scripts you find on the internet.
I never said that GitHub was better. I just don’t feel like using a package maintained by a stranger with no tied to neither the software I want to install nor the distribution packages repository.
Of course installing random code from stranger is never great advice regardless of the distribution source. But AUR is simply not for me, and many users don’t understand the risk or let’s say responsabilities it involves while installing packages from that source.