A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
And that’s why it’s fundamentally shit idea on so many levels. Instead of having one person to inspect let’s make every single user expert or not to inspect every package each individually. This is fucking retardation at its finest.
But who would do that? Do you have security expertise and are volunteering to do that?
Exactly. Let’s also not forget it isn’t just a matter of inspecting it once, it would be for EVERY update of the script. It would be a major bottleneck to get updates out for any package. There are comments on the AUR site where people can flag issues, so we do have some crowd sourcing, but I’d still not trust it.
ahahaha such a shit take
The option is to not have it
There IS one person that inspect the code for everyone, that’s the package maintainer. But it’s a random voluntary contribution from some random person who you should not blindly trust. That’s the point of the AUR, one person makes it significantly easier to install for everyone. The point is to be better than installing directly from somewhere like GitHub. For actual good moderation there are officials repos