That’s always been there and every official messaging I’ve ever seen about the AUR has conformed. Read the changelogs because everything in the AUR is just a shell script some stranger wrote.
Why should they? AUR is still working as intended.
It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place.
It has always been the user’s responsibility to review everything or avoid using it.
The question here is why the f’ didn’t they shut down AUR packages takeover procedure? It makes no sense facing an attack of such a large scale.
It’s the USER repositories. If you go, right now, to aur.archlinux.org, the very first section on the page after the header says
DISCLAIMER: AUR packages are user produced content. Any use of the provided files is at your own risk.
That’s always been there and every official messaging I’ve ever seen about the AUR has conformed. Read the changelogs because everything in the AUR is just a shell script some stranger wrote.
Why should they? AUR is still working as intended. It’s basically a public wiki of shell scripts, it was never intended to be secure in the first place. It has always been the user’s responsibility to review everything or avoid using it.