AUR packages are maintained by members of the community. If a malicious member of the community wanted to inject code into an AUR package, they could. The same is true of any community maintained repo on any distro. However, AUR has an advantage in that you have the ability to see exactly what the package is going to do because the all the instructions are contained in the PKGBUILD and the package.install file.
Take a look at this:
The take away is always look at PKGBUILD and .install file before installing. Thank you.
And the comments on the AUR package web page. Any problems are usually raised there by users.
Note that i am in a hurry to use timeshift now, but what should we do when a package is flagged.
@ yay -Syu
:: Synchronizing package databases...
core is up to date
extra is up to date
community is up to date
multilib is up to date
endeavouros is up to date
:: Starting full system upgrade...
there is nothing to do
:: Searching databases for updates...
:: Searching AUR for updates...
-> Flagged Out Of Date AUR Packages: timeshift-bin
there is nothing to doP.S. btw, why donât you use main repo timeshift instead?
Usually itâs best to avoid AUR packages in favor of main repo, if you can or doesnât need something specific
It already has been reported to the maintainer. That is what that warning means.
Main repo timeshift?
From my understanding, timeshift is ONLY available in the AUR, unless youâre talking about something else and I am therefore a fool.
OoopsâŚsorry, i must have misremembered that from Manjaro days (iâm not timeshift user 
), indeed
Wonder why itâs not in main repo then, pretty used software
it is not in the top 100, but it should be:
Badwolf, a minimalist and privacy-oriented WebKitGTK+ browser.
Try ttf-ms-win10. The PKGBUILD contains the instructions.
Out of interest, why Joplin over Simplenote. I currently use the latter & have never tried the former.
I would say it is wise to check all the files in an AUR package prior to installing. For instance, someone could sneak something into a pacman transaction hook file (or a script called by one), as well as the PKGBUILD or a *.install file.
This is the 2nd post of this thread.
Simplenote data isnât encrypted at rest. Encryption is one of my primary requirements for a note taking application.
I also donât think that Simplenote allows you to control where your data is hosted.
Looks cool, but Iâll have to give it a miss for now. No pre-compiled binaries for aarch64 architecture, and the build fails on aarch64 when selecting to ignore the target architecture in the AUR PKGBUILD.
@dalto
How is popularity of a package decided. I think it is different from number of downloads / hits. The lot of packages in the list are paid ones / binary / free ones with limited feature.
What I really wanted is the top 100 AUR packages people really use / download. I really get a feeling that this list is getting less and less interesting.
It is based on votes. But it also factors in the amount of time the package has been in AUR. In other words, a package which gets 100 votes over a 5 year period is less popular than a package that gets 100 votes in a month.
so i can conclude that we are looking at the correct list that i originally intended to make.
It is probably as close as you can get.