[michaelmrose]

A pop up of the pkgbuild is almost worthless. It would require the user to personally examine at the very least the source the pkgbuild is pulling from and the pkgbuild script itself and be able to spot malfeasance including subtle attempts.

Since doing otherwise is a few clicks away and sufficiently subtle attempts are unlikely to be noticed by even observant parties this is about as bad as the windows hunt down an exe model which has been proven for decades NOT TO WORK.

The AUR isn't filled with malware because arch is a very small target compared to windows full of observant people.

It cannot possibly scale even to the levels ubuntu aspires to achieve.