Comment by matheusmoreira
1 day ago
Linux distributions are. They all have maintainers who vet packages and take responsibility for them. Arch Linux does too. The inherent untrustworthiness of the AUR was always made explicit by the Arch Wiki and the culture surrounding it, unlike programming language package managers like npm and pip.
Having trusted community members vet packages is a good system, but how much does it really scale?
1. The whole point of the AUR is that the demand for packages outstrips the volunteer effort to provide secure packages.
2. There are about a dozen major package systems for Linux, with a lot of duplicated effort in packaging the same software for slightly different systems in slightly different formats.