Hacker News new | ask | show | jobs
by WhyNotHugo 5 days ago
This is one of the aspects of AUR which never fully convinced me: it purely hosts user-generated content, there's no review process or alike.

I'd really prefer to see a model where a 'community' repository contains user submitted packages which have at least one Trusted User review the package before it's merged in. This doesn't just prevent malware, but also common mistakes in general.
2 comments
kpcyrd 5 days ago
This is essentially what the [extra] repository is. Not using the AUR and sticking to official Arch Linux packages exclusively is a very valid and reasonable choice (that I follow myself actually).

A large number of "an Arch Linux update broke my system" is very likely due to incorrect AUR use that AUR helpers don't handle for you. There's an elaborate writeup here from just 2 months ago: https://lists.archlinux.org/archives/list/arch-dev-public@li...

link
WhyNotHugo 5 days ago
Unless things have changed in recent times, packages in [extra] are maintained by TUs. Random users can't submit packages.
link
carols10cents 5 days ago
How does a user become a Trusted User? Who is paying them to review everything?
link