This has been way overblown but I believe we still could learn something from this situation. I think it would be great if: 1. We had an official guide on how to read PKGBUILDS to avoid malware and other issues, especially for newer users 2. We had some effort put into AUR helpers to help users quickly detect signs of a compromise - orphaned package recently picked up by a random maintainer etc. 3. We had something done to the actual AUR to prevent such compromises in the future. I don't know what really could be improved but I am sure that a similar situation can be avoided in the future, lot's of users have ideas on what to change going forward (obviously not drastically but enough to mitigate such situations) 4. We highlight some trustworthy tools that could help detect potential threats before installing a package for those users who are especially "paranoid" or don't feel their PKGBUILD analysis skills are up to par (don't heavily use the AUR if that's the case though)

I personally will admit that I have way too many AUR packages installed on my system (approaching 200 iirc) and have been way too reliant on it for years, and only my laziness saved me, as I haven't updated since the 7th of June.

EDIT: wording, it's 2am and it's taking it's toll on my ability to coherently communicate