Comment by drankinatty
7 days ago
"Review every PKGBUILD" is as realistic as expecting the EULA to be completely read and understood (including the forced arbitration clause) before clicking "I Agree". It also ignores the poor souls using AUR helpers that automatically download and build packages from AUR as they were designed to do for the convenience of Arch/AUR users.
AUR isn't just some download site. It has been actively marketed by Arch for at least the 17 years I've used Arch as it's user repository. (that's kinda the acronym)
That creates the expectation, rightly or not, that the Arch User Repository provides some degree of protections for Arch Users against the build sources hosted there being compromised.
The AUR is a great resource for Arch and the wider Arch community and it was put together by some really talented folks at a time when the threat environment was completely different. Times have changed, and it's a sad testament for humanity.
AUR will get through this, and be better for the additional guardrails to be put in place, but blaming the victim and CYA never gets you there.
> That creates the expectation, rightly or not, that the Arch User Repository provides some degree of protections for Arch Users against the build sources hosted there being compromised.
The main page of the AUR website says, in bold, "DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk."