[mattpallissard]

Arch user here. These things work much nicer than any of the previous alternatives. Sure, kernel signing is a bit of a mess, but that's more of a product of how key-signing at a low-level works than anything. Cryptsetup, cryptenroll, unified kernel images, and systemd-boot worked for me out of box.

[DrillShopper]

They very much did not for me. I beat things into shape with sbctl but it was very much an uphill battle.

idk why Arch seems allergic to packaging shim-signed (it's an AUR, why would I trust such a key component to essentialy a stranger?), but here we are I guess.

[Timber-6539]

The AUR is just a repository of PKGBUILDs. You don't need to trust a stranger to use PKGBUILD.

[udev4096]

you can inspect the PKGBUILD file very easily. it's same as alpine's abuild and various other build file formats from distros. don't just blindly build it