Hello, > A Stopover could be an unofficial repo made from auto-build AUR > packages: > https://wiki.archlinux.org/title/unofficial_user_repositories#chaotic-aur > > This also helps to avoid packaging binaries vs build from source code > a little bit. This should not be recommended, especially with past controversies over it. You do not know what you are pulling from chaotic AUR, and they do not have the same sort of review and trust, its a few developers which maintain it. I can't even find out any documentation on how it functions, which means its a black box where you pull packages which they say could be modified, so how do you know what you are pulling? Arch has a web of trust for a reason, and adding unofficial repositories, although convenient, opens you up to potential security issues, or the pulling of malicious packages. This is why reproducible builds are such a big deal, but widespread support for this is not yet achieved, there are still packages which have bad repro. There is the argument you never truly can trust anyone, but I trust a web of trust of 50+ developers more than 3-4, especially how you can look through the entire arch infrastructure quite easily. But again, just my opinion, I have heard of many people who use chaotic AUR and they said it was completely fine, but personally, I wouldn't trust it. Take care, -- Polarian GPG signature: 0770E5312238C760 Website: https://polarian.dev JID/XMPP: polarian@xxxxxxxxxxxx
Attachment:
pgpKVc6s9wE9p.pgp
Description: OpenPGP digital signature
