Comment by VladVladikoff

I use Arch on my dev qemu VM and actually review all changes all the time.

It is not that hard with small amount of pkgbuilds:

  find ~/.cache/yay -maxdepth 1 -type d
  /home/virt/.cache/yay
  /home/virt/.cache/yay/google-chrome
  /home/virt/.cache/yay/ngrok
  /home/virt/.cache/yay/rancher-k3d-bin
  /home/virt/.cache/yay/simplescreenrecorder
  /home/virt/.cache/yay/ttf-comfortaa
  /home/virt/.cache/yay/cursor-bin
  /home/virt/.cache/yay/yay
  /home/virt/.cache/yay/volta-bin

And most people don't ever check their car oil.

The point is that the onus is on you to do it, and if you don't then the consequences are yours to bear. Personal responsibility seems to be in short supply these days.

"Review every PKGBUILD" is as realistic as expecting the EULA to be completely read and understood (including the forced arbitration clause) before clicking "I Agree". It also ignores the poor souls using AUR helpers that automatically download and build packages from AUR as they were designed to do for the convenience of Arch/AUR users.

AUR isn't just some download site. It has been actively marketed by Arch for at least the 17 years I've used Arch as it's user repository. (that's kinda the acronym)

That creates the expectation, rightly or not, that the Arch User Repository provides some degree of protections for Arch Users against the build sources hosted there being compromised.

The AUR is a great resource for Arch and the wider Arch community and it was put together by some really talented folks at a time when the threat environment was completely different. Times have changed, and it's a sad testament for humanity.

AUR will get through this, and be better for the additional guardrails to be put in place, but blaming the victim and CYA never gets you there.