[bee_rider]

On one hand, the distro developers can’t really prevent people from, say, hitting their computers with a sledgehammer or something. So to some extent, the users have to be trusted.

But, maybe it would be best not to have “yay” available. Using something like AUR without reading the package build files is… pretty bad, right? And it is bad for the community, because if there is a convention of doing that sort of thing, it makes the AUR a good target for attacking.

[akerl_]

Yay is a 3rd party package manager. The 1st party package manager does not interact with the AUR.

Yay itself is in the AUR. You have to go out of your way to install it.

The Archlinux docs on AUR helpers lead with a red warning: https://wiki.archlinux.org/title/AUR_helpers

[bee_rider]

Oh, I thought it was a package from the repo. (I didn’t use any of those third party package managers, just stuck to manually doing everything when using the AUR, which was fine because I used it sparingly).

[johnisgood]

No, and these AUR helpers are not even official packages in the official repository.

[thedanbob]

> But, maybe it would be best not to have “yay” available. Using something like AUR without reading the package build files is… pretty bad, right? And it is bad for the community, because if there is a convention of doing that sort of thing, it makes the AUR a good target for attacking.

I don't remember how yay works but paru (another AUR package manager) displays the pkgbuild file before it will install.