That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download an .exe the first thing you can run” or just curl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)
I mean, yeah that would be my solution. I get that the AUR is attractive, precisely because it has a low barrier for anyone to submit their PKGBUILD. The level of oversight and verification is just a bit too low to recommend it to an average user, without a lot of caution. You’ve mentioned some alternatives that fall on different points along the spectrum of delivering software. Something like flatpak is a much more reliable tool in the hands of someone who just wants a GUI app and not think about how it gets to their desktop. For everything else that isn’t part of your distros repositories, there’s really not a good noob-friendly solution that doesn’t carry a big potential risk. Most distros have third-party repositories that use the same underlying tools to deliver software, but are less strict about QA and stuff. This is kind of a bad fit for rolling release distros in my opinion and is probably one of the reasons the AUR is so hands-off and DIY oriented.
There’s probably a better way to handle this, but I don’t think it’s an easy thing to solve (especially for the rolling release model) and the AUR isn’t really appropriate for mass-consumption by average users. Also, there will always be a certain point beyond which you’re on your own, it’s just not feasible to have reliable, safe, distro-agnostic packaging for every piece of software out there.
That makes sense, but what’s the alternative here? Linux is freedom, so that means freedom to run / install anything you want, including malware if you’re not careful. Maybe if you discourage people from using the AUR, they will install it through other means, like a developer-provided Flatpak or AppImage. But if that’s not available or doesn’t work, then it’s nothing (= sad user), or you’re back to “Google, then download
an .exethe first thing you can run” or justcurl | sh. Is that better? (Assuming we’re still talking about the kind of people who would skip vetting what they install.)I mean, yeah that would be my solution. I get that the AUR is attractive, precisely because it has a low barrier for anyone to submit their PKGBUILD. The level of oversight and verification is just a bit too low to recommend it to an average user, without a lot of caution. You’ve mentioned some alternatives that fall on different points along the spectrum of delivering software. Something like flatpak is a much more reliable tool in the hands of someone who just wants a GUI app and not think about how it gets to their desktop. For everything else that isn’t part of your distros repositories, there’s really not a good noob-friendly solution that doesn’t carry a big potential risk. Most distros have third-party repositories that use the same underlying tools to deliver software, but are less strict about QA and stuff. This is kind of a bad fit for rolling release distros in my opinion and is probably one of the reasons the AUR is so hands-off and DIY oriented.
There’s probably a better way to handle this, but I don’t think it’s an easy thing to solve (especially for the rolling release model) and the AUR isn’t really appropriate for mass-consumption by average users. Also, there will always be a certain point beyond which you’re on your own, it’s just not feasible to have reliable, safe, distro-agnostic packaging for every piece of software out there.