Comment by tomn

> this is a fundamental problem with the security model of Arch Linux, but that's been known for a very long time

It's exactly the same problem that every other distro has when users compile or install unvetted community packages.

The only way to make unvetted community repositories safe is to have users look at the sources before building or installing. Arch encourages users to do that -- AUR helpers and binary repositories are discouraged, and the source package format is simple enough that an average user could probably spot something like this.