the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably “trust” it (especially when it’s listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.
Been saying for years that people need to stop treating the AUR like a repo, when it’s more akin to
curl installscript.sh | bash.Some packages pull files from personal dropbox…
So, better to use a safe language, and use
(I copied that from https://rust-lang.org/tools/install/ just a second ago…)
cue RuSt Is ThE fUtUrE people.
But it is a repo. It’s just an unofficial one. I don’t know how you use it without understanding this. It’s not far from perfect, but it is useful.
the problem is exactly the fact that it is a repo; it introduces a layer of unknown between the dev and the user. and the user will unavoidably “trust” it (especially when it’s listed amongst official repos in e.g. the graphical version of Pamac), without understanding the risks.