[OJFord]

`yay` (one such wrapper) shows me the PKGBUILD diff on every update. The first time I install something I verify the URL, and check any install script etc. seems sensible; the vast majority of subsequent updates are changes to just version number & checksum. A typosquat attack would be very obvious.

(It's a bit vulnerable to it on first install, but so is 'just navigate to the project website [and click download]'.)

[anthonj]

But it's one middle man less.

Git repo have been attacked other times in the past, but a 500/1000 stars project still sounds more trustworthy than a user repository managed by randos with a couple of upvotes. I still use the aur for simple cases, but when I see aur packages depending on multiple other aur packages I immediately leave.

[feelamee]

and how many of others do the same? At least I'm not.. Happily I have only a few aur packages

[OJFord]

I'd recommend that you do – it's not very taxing, and if you only have a few then you won't even be doing it much. I'm not auditing the program code itself (where even available), literally just checking that the AUR package actually installs what it says it does/I expected.

[cromka]

Does it also show each patch involved?

[OJFord]

It shows the overall diff since last update, not patch-wise. But it does show any extra patch file, install script, etc. – not just the PKGBUILD – if that's what you meant.

[gpm]

The manager I use (paru) does, I'd be surprised if yay doesn't.

[Charon77]

It does, but there's a y/n question of whether you want to see the patch