AUR

>AUR
So they basically just trust that users will not upload malicious/broken packages?
Is anyone auditing this shit or its "whoever downloads first and fucks up his machine so he reports it in the comments" method?

You can review/edit PKGBUILD before installing, can't you? Also users can leave a feedback.
So yeah, if you're stupid you can install something malicious from AUR.

Yeah but what about the first guy who downloads it? He is basically going blind unless he actually reviews the source (never happens)

You don't need to review the source code, just the PKGBUILD. If people don't do it then they got no one but themselves to blame, just the same as people who download things and install it without verifying the signature.

I see. Thanks user

Yes, Arch Linux is the Iraqi bazaar of linux distributions.

Checking the PKGBUILD isn't helpful if there is malicious code in the source code.

This is fundamentally no different than Ubuntu PPAs.

lel

Yes you can get infected with AIDS but you dont fuck around with the first whore you se, at least one checks the source of the code. If its from the dev and the repo is a trusted one you fine.
Also this is not a WIndows, Ios or android comunity, people dont post code to make profit they post it because no one loves them.

>whoever downloads first and fucks up his machine so he reports it in the comments

This is essentially correct. The solution to avoiding this is having a loserbase full of apologists who don't understand the value of time, so they see no problem with reporting problems this way, and see absolutely no problem with spending hours reading mailing lists. It's really not a package manager, at all, except in this case the reason why it works out is because it happens to satisfy their autism

If the work you are doing requires auditing every piece of code you run, Arch isn't meant for you.

"isn't meant for you" is fancy re-phrasing for "I'm better than you"

No.
It means you're a different kind of user you dunce.

Infosec people and developers don't have the same needs.

>if you replace what you said by something else it's suddenly made out of straw

I mean this isn't inherently anymore dangerous than the situation in Windows, except the AUR provides a nice single source of authority for calling bullshit.

You pull some shit in the AUR, literally everyone who it matters to is gonna know about it.

Arch isn't meant to work on. It's for no-life weebs.

Non-NEETS use Debian, Ubuntu, RHEL, Suse or *BSD.

You're full of shit user.
I use it at work and at home, it's only bad if you need hardened security or guaranteed stability.

>it's only bad if you need hardened security or guaranteed stability

People only choose GNU/Linux or *BSD because they need hardened security and/or stability. Those that don't care use Windows or OSX.

Yes, you can edit documents using LibreOffice in Arch. Yes, you can *technically* maintain a server using Arch; but no one with two brain cells would risk their paycheck or they data by using Arch in an important environment.

Arch is a hobbyist OS. It is purposely made to be harder to use than other distros and doesn't give two flying fucks about stability.

I recall there being a rating system with each package, so you will have a better idea of what you plan to install from AUR.

how important is "important"? I believe ordinary programmers can use Arch without any risk.

I use Manjaro for over a year now never had an issue with anything ever and i mean ever, and i even use the "buggy" KDE that never had any crash or problems either, dunno if it counts as Arch tho...

>people dont post code to make profit they post it because no one loves them.
I always wondered why there was so much good open source software.

to anyone desiring hardened security and being actually serious about it, small and unknown packages in the AUR and let's say, the official Debian repositories should be about equally trustworthy.

I run 2 production servers on Arch. Talking dual socket, 64GB RAM, RAID10 of 8TB Helium drives, serving 10,000 users.

No issues and currently 247 days uptime (and that was scheduled downtime to go from RAID from 1 to 10)