Yes, the AUR is user-provided content. Yes, system administrators are responsible for being aware of what they’re installing. You can find many comments from me on this page discussing that.
An attacker being detected using an official service hosted by Archlinux for user-managed packages to push malware is still noteworthy.
I guess we have very different takes on this; I wouldn't expect Slack or WhatsApp to publish security advisories if one of their users used them to spread malware among a tiny cohort of other users, which is about the right level of responsibility Arch places on itself (and it's very clear about this) w.r.t AUR.
I think you’re correct. I see a fundamental difference between services like slack and WhatsApp which provide messaging services and hosted platforms like the AUR where content is submitted and then republished on a site administered by the project.
Yes, the AUR is user-provided content. Yes, system administrators are responsible for being aware of what they’re installing. You can find many comments from me on this page discussing that.
An attacker being detected using an official service hosted by Archlinux for user-managed packages to push malware is still noteworthy.