[gqgs]

Regardless of it being just a collection of user-produced PKGBUILDs the community would certainly benefit from a more robust solution to this issue.

Expecting users to manually review every single change, for every single AUR package they are using, every single time they do an update or installation is just unreasonable if you want to AUR to be useful at all for the general user.

[Foxboron]

> Expecting users to manually review every single change, for every single AUR package they are using, every single time they do an update or installation is just unreasonable if you want to AUR to be useful at all for the general user.

How many AUR packages are you assuming people are installing?

[gqgs]

Could be one or one thousand. Frankly, the exact number doesn't matter.

I'm assuming people are using the AUR to install programs that are sufficiently complex and the idea one can trivially audit a complex program and all of its dependencies is foolish. The foolishness of that expectation scales with the number of complex programs installed.

The idea that users should "just check the source code every single time" has never been, nor will it ever be, a reasonable solution to supply chain attacks.

[Foxboron]

> Could be one or one thousand. Frankly, the exact number doesn't matter.

It does. Manually checking a couple of AUR packages is easy. Installing a thousand AUR packages is not something anyone should be doing.

> I'm assuming people are using the AUR to install programs that are sufficiently complex and the idea one can trivially audit a complex program and all of its dependencies is foolish. The foolishness of that expectation scales with the number of complex programs installed.

Nobody is asking them to do that. The premise is that the `PKGBUILD` and auxillary files provided by the AUR should be checked.

> The idea that users should "just check the source code every single time" has never been, nor will it ever be, a reasonable solution to supply chain attacks.

Again, nobody is asking anyone to do this.

[seba_dos1]

Arch already has a more robust solution to this issue and it's called "core" and "extra". AUR is where you head to when you're ready to manually review every single change, for every single AUR package you are using, every single time you do an update or installation and that's exactly what it is and was always supposed to be.