You should make that detailed post on the Arch Linux forum, and educate the veterans over there, not here, as they are the ones that can actually implement your proposed changes (we here on EndeavourOS just follow the upstream). I’m sure they’ll appreciate your thoughtful feedback.
Though, please link it here, as well.
I think your heart and intentions are in the right place, plus i’d agree that potential vulnerability is obvious.
That doesn’t mean that AUR itself if vulnerable as @Kresimir for some reason get that impression from you, nor does it mean that users should just turn off their heads and not check anything themselves anyway, some of us are paranoid enough to check even repo packages 
It’s been discussed there at length and the solutions are very well documented for Arch users this is endeavour OS, like I mentioned, I will want to help the users here.
I’m just tired of concern trolls who worry about my safety when I’m using the AUR, and want to portray the AUR as some inherently unsafe way of installing software, that’s all.
Exactly. I’m not talking about a vulnerability on the underlying system. I’m talking about the potential for abuse and malware. For example, I installed some packages that had the same application in 4 different packages by 4 different maintainers, with some of the most random usernames.
btw, ain’t they not big lovers of AUR in general on Arch forums? 
Trust me, I’m not a concern troll, I’m using my real name in this forum and even a link to my business which has my phone number. I do not want my name to be associated with trolling. If this post is not for you, maybe just move on? And let others who might have something positive to learn or say, do so.
I know a guy who deleted his /etc/shadow file (which is about as wise as what you did in your example). Are you going to conclude from that that Linux is a very unsafe system? 
I think you’re the one trolling at this point. Have a good day.
It’s definitely NOT safe to use @keybreak on your system, coz he might do just that 
Still, please stop it’s getting out of hand and we need to keep well hydrated here 
All innovations start from identifying a problem and proposing crazy ideas to solve it, let the man try, if he’ll succeed to make AUR even 10% safer - we all will only benefit 
The issue is there’s no way of ensuring complete trust in the pipeline; whether that’s a package in the main repos or from the AUR. There’s a degree of trust people place in the package maintainer. Adding a reviewer to the process means there’s perhaps a bit more trust but it doesn’t remove the need for one to manually validate their AUR packages.
This seal of approval can’t really assist users who are unable to validate things themselves because if they aren’t sure how to validate themselves they can’t really trust you’re doing a good job in the first place. The only thing I think people really ought to do if they have the time (and the ability) is to scan packages that are updated and report the suspicious ones. This helps keep the AUR as a whole safe.
As I suggested in the post I linked above, when installing packages from the AUR, always upvote the good ones, and flag the bad ones. That makes the AUR better for everyone.
I am my own package reviewer, I don’t want any third-party gatekeepers telling me what software I may or may not use, for my own safety.
Very good. Then this conversation doesn’t apply to you if you’re your own malware scanner and reviewer, and that is totally fine. I’m just not sure why you’re so hostile to suggestions about making something more secure or at the very list, easier to understand to some people. Or even having a productive conversation at all. Your tone comes across very hostile and condescending especially when all I’m doing is bring my expertise to help a project that I believe in the same way I have helped many other open source projects in the past.
The hardest thing about understanding textual messages is interpreting ‘tone’ and ‘intent’. I think some ‘missed connections’ occurred here, and I hope you both will make some allowances - we need you!
I am not quite old enough to have gone to belt and suspenders to hold my pants up (but it may come soon) - but having both in aiding in security and usability concerns is a GOOD thing…
I agree. My apologies.
I think the real question is:
“Who shall guard the guards”
As a developer - the kind of developer which is labelled DevSecOps - that is I develop - I look for security holes - I implement - all in in a snake-bite-tail thing.
It is impossible to secure anything to be 100% bullet proof simply because the persons with malicious intent is also very educated and object oriented and target practising.
It will be possible to bury malicious intent in otherwise harmless source code.
If you have been digging through malicious script code - document embedded macros - you will find that through loops and hoops and recursive calls you can end up having build a c-source code which will be compiled when the end user builds the package.
Sooner or later such thing will be caught and the Arch User repository maintainers and seasoned users are quite eager to keep the house clean.
But it is entirely possible to cheat - how long it takes before discovered?
I don’t know - just look around - there is loop holes and boot holes and weaknesses everywhere - in this system of things where you cannot trust the average Joe and Jane - there will always be someone which takes advantage of others.
That’s why you always look up the package on aur.archlinux.org and see how old it is, how many upvotes it has, how often is it updated and did it recently change the maintainer.
You also scan the PKGBUILD file for any obfuscated code. A good PKGBUILD file contains only simple instructions which should be obvious about what they do to any informed user. And you look at the URLs where the software is pulled from. But in the end, you always trust the software developer, it is not feasible to inspect every line of code running on your computer.