Comment by nubinetwork

> People need to get into their heads that the AUR is just a collection of user-produced PKGBUILDs.

While that may be true, is the AUR not moderated or operated by arch devs? On Gentoo, I can't just push "npm install malware" to 400 packages in guru without someone else's approval.

> You have to review the source of every PKGBUILD from the AUR you install, full stop.

With a semi official repo, I would expect the people with push access to not upload malicious packages... while its still possible, and things do happen, completely pointing the finger at arch users for simply using arch isn't very helpful.