Linux

I agree about the risks in terms of the way some sources present the AUR as just extra packages. But I don't think you can object to the AUR more than any other place on the internet where anyone can upload software; unfortunately, the onus is going to be on the user to verify what they install. The AUR is moderated by volunteers and it wouldn't be fair to expect them to vet all of the high volume of commits to the AUR. Possibly they could vet new maintainers or new packages or newly adopted packages, but nothing would stop someone from initially uploading a genuine package and then replacing it with something malicious. Or they could require identity verification to be an AUR maintainer but then far fewer genuine packages would be on there because people don't want to give their real identity to contribute (I maintain some AUR packages, and would stop if required to verify my IRL identity).

I can totally understand if the AUR is not for you; it's more time-consuming as you have to read PKGBUILDs (I always do). But that doesn't make it bad that it exists at all. I think there should be more warnings about it for new users, and possibly some more moderation, though like I said above there's no perfect moderation solution that would simultaneously forgo users' responsibility to check and keep the AUR as large as it is today. Ultimately the option should still exist for users who want it. If it didn't exist, I'd have to hand-package every program that's not in the official repos, and that's even more time-consuming than pulling and reading through a PKGBUILD that someone else already wrote and shared.

I never said that GitHub was better.

It is arguably harder to take over a package from github or Codeberg.

You could also serve your PKGBUILD from a Gemini server (the Gemini small-web protocol, not the Google AI which is really easy to administer and secure), and sign it with a PGP key. That would be about as secure without depending on a huge US American company.