...

From: Corey Bruce <cdfrosty@gmail.com> Sent: Friday, May 29, 2026 3:01 AM That's a pretty bad take no offence Mark, yes this is the Arh user repository where the user can read the pkgbuild code but there shouldn't be malicious packages there in the first place which is why it should have some better rules and regulations to avoid this while still remaining open and not controlling in nature.

On Fri, 29 May 2026, 2:10 pm Mark Hegreberg, <mark@archlinux.org <mailto:mark@archlinux.org> > wrote: The expectation of the AUR is that users vet upstream software, and read the PKGBUILD, right? If you do this, none of the malicious packages I've seen would have affected you.

I agree with Mark. There is, and always has been, a risk in using software from the AUR. There is a big pink box at the top of the wiki page warning you. It seems like the current system has been working. Someone sees something suspicous, it is reported and acted on in a timely manner. If someone wants to use some AI LLM to screen software downloaded from the AUR, they can implement that themselves on there own machine. Someone could even write such a program and submit it to the AUR for others to use if they so desired. Just my 2 cents, make of it what you will. Paul