copygirl

That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download an .exe the first thing you can run” or just curl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)

If I learned anything with Steam it’s to never install it as a Flatpak.

I keep hearing this claim online but the Arch bible (which you really should be familiar with if you use Arch) and pretty much everyone that knows anything will tell you that the AUR is useful, but not something to blindly use. I recommend everyone check the PKGBUILD, verify the source URLs are correct, and check the diffs when updating. It’s not that much effort.

And since it comes from a single (user) package repository, you’ll probably have hundreds of people doing the same, or even going a step or two further and looking into the code, reporting the package if anything bad is going on. Still miles better than downloading .exe files you find from a Google search, even if you were lazy and didn’t do the aforementioned checks. (But if you don’t do that, you should probably just use Flatpaks or similar.)