> "but you don't get to separate the two in the case of an OS or distribution."
Actually I do get to do that. It's an important distinction because if the software isn't at fault, then a technically competent user can safely use it by merely not being as dumb as the average user. But if the software itself is at fault, then the technically competent user should stay clear of it. Idiots will be idiots no matter the distribution. If it weren't arch, they might be downloading third party RPMs or debs from untrusted sources. Would that be reason for a technically competent person to avoid RHEL or Debian? Of course not.
> It's an important distinction because if the software isn't at fault, [...]
Though the software is at fault. It created a false sense of security,
misleading the users. What else in Arch just feels secure, but in fact is not?
And then, if the users around the software generally exhibit a jockey
attitude, you get the whole environment built in a similar manner, not
a robust one. The software may technically not be at fault and technically
could be used in a safe manner, but you won't get much exposure to that, any
such use will be cumbersome and difficult (because nobody uses it this way),
so you still should stay clear of the software. So no, you don't get to
separate the users and the OS/distribution.
> Though the software is at fault. It created a false sense of security, misleading the users. What else in Arch just feels secure, but in fact is not?
AUR never tried to pass false sense of security, it is explicitly declared as not supported everywhere.
> And then, if the users around the software generally exhibit a jockey attitude, you get the whole environment built in a similar manner, not a robust one. The software may technically not be at fault and technically could be used in a safe manner, but you won't get much exposure to that, any such use will be cumbersome and difficult (because nobody uses it this way), so you still should stay clear of the software. So no, you don't get to separate the users and the OS/distribution.
Except it is not, experienced users of Arch community vocally recommends new users to not blindly trust AUR, and the dangers of AUR is also documented everywhere. This is also one of the reasons that yaourt is shamed in public Arch communities like /r/archlinux, since it defaults to poor security behavior.
> AUR never tried to pass false sense of security, it is explicitly declared as not supported everywhere.
Funny that I only ever hear of this when talking about security aspects, not
when discussing available software. In the latter case I always hear how many
things are there in AUR, especially comparing to Debian. AUR must have failed
miserably in not trying to pass false sense of security.
> Funny that I only ever hear of this when talking about security aspects, not when discussing available software. In the latter case I always hear how many things are there in AUR, especially comparing to Debian. AUR must have failed miserably in not trying to pass false sense of security.
One argument does not invalidate the other. It is true that tons of software are available in AUR that is not easily available in other distros. It is also true that AUR is not supported.
A similar thing happens with PPAs in Ubuntu or even with Flatpak/Snaps: they brings tons of additional software to the distro, however they're unsupported and can be security nightmares [1].
[1]:Yeah, even when Flatpak/Snaps are properly sandbox (since some apps are not), they can include software to mine cryptocurrencies for example.