People wanting to use AUR helper, you’re better off using aurutils on aurto than yay or paru. Aurto, even with auto update already remove packages when the maintainer changes because aurto trust models was always to check the maintainer first and not the package itself
Edit: Sorry I realize my rambling didn’t answer your question. My suggestion is to not use aura. I do not see anywhere on their repo about their trust model or if they just do it like yay/paru. This is also why I recommend aurto and not aurutils. People would just skip the diff with aurutils.
The thing is, aurto is not the helper. The helper is aurutils. aurto is just the local repo manager that adds timer to auto-update and some QoL features. But to add packages to that local repo, you need to add the maintainer to the trust list. That means the current attack of adopting orphaned / unmaintaned packages is moot. The maintainer change means the package are kicked out and not tracked anymore by aurto. You can still re-add them after you’ve confirmed that they’re safe.
That being said, aurto do have issue. They trust the PKGBUILD of the author/maintainer so if the maintainer got hacked or gone rogue, it will not protect you. Same as with every other package manager in that case.
People wanting to use AUR helper, you’re better off using
aurutilsonaurtothanyayorparu. Aurto, even with auto update already remove packages when the maintainer changes because aurto trust models was always to check the maintainer first and not the package itselfhttps://github.com/alexheretic/aurto
What about Aura https://aur.archlinux.org/packages/aura
Edit: Sorry I realize my rambling didn’t answer your question. My suggestion is to not use aura. I do not see anywhere on their repo about their trust model or if they just do it like yay/paru. This is also why I recommend aurto and not aurutils. People would just skip the diff with aurutils.
The thing is,
aurtois not the helper. The helper isaurutils.aurtois just the local repo manager that adds timer to auto-update and some QoL features. But to add packages to that local repo, you need to add the maintainer to the trust list. That means the current attack of adopting orphaned / unmaintaned packages is moot. The maintainer change means the package are kicked out and not tracked anymore byaurto. You can still re-add them after you’ve confirmed that they’re safe.That being said,
aurtodo have issue. They trust the PKGBUILD of the author/maintainer so if the maintainer got hacked or gone rogue, it will not protect you. Same as with every other package manager in that case.