Arch User Repository, also known as AUR, is a major part of the Arch Linux ecosystem. It’s a community-driven repository for the Arch Linux system that hosts a number of packages outside the official Arch Linux package database.
AUR packages are redistributed in form of PKGBUILDs and need an AUR helper to automate the re-build process.
AUR is community driven and anybody could upload their pkgbuild for apps that they like. The problem is we cannot trust everybody in community, not all have good intention there are several incident where malicious user have uploaded malicious packages in AUR.
AUR helpers are making this problem even worse making users lazy and allowing them to install packages from AUR with help of a single command and many users don’t tend to look at build package.
I would recommend everyone here to read PKGBUILDs confirm it’s not malicious and then install it on your system via yay or makepkg. You can usually view PKGBUILDs scripts in AUR website itself.
Developer’s out there too should check before installing dependency from internet because they too are community driven but here package itself is not malicious but it could run malicious post install scripts and hijack your device or infiltrate sensitive information. For details I’m leaving an interesting blog about it. Dependency Confusion
Places like Playstore, Appstore, default repositories of various linux distribution and official website of those packages. They are verified and tested so you don’t need to worry about it at all.
I would like to know how many of you are checking scripts before you install packages from internet?
If you like this kind of content drop a like it will encourage me to write more.