|
|
|
|
|
|
by Foxboron
3 days ago
|
|
|
> Could be one or one thousand. Frankly, the exact number doesn't matter. It does. Manually checking a couple of AUR packages is easy. Installing a thousand AUR packages is not something anyone should be doing. > I'm assuming people are using the AUR to install programs that are sufficiently complex and the idea one can trivially audit a complex program and all of its dependencies is foolish. The foolishness of that expectation scales with the number of complex programs installed. Nobody is asking them to do that. The premise is that the `PKGBUILD` and auxillary files provided by the AUR should be checked. > The idea that users should "just check the source code every single time" has never been, nor will it ever be, a reasonable solution to supply chain attacks. Again, nobody is asking anyone to do this. |
|
|