yay is a package manager that has been made for AUR. yay is not the official package manager for Arch Linux, pacman is, and it does not support AUR. yay is not installed on Arch Linux by default, its official package manager, pacman, is. AUR is for unofficial 3rd party packages, i.e. "use at your own risk". It has always been the case.
Yes, it is "use at your own risk" but most arch users just install from it without giving it a second thought, because availability of packages in the AUR is the one thing Arch is good at.
> most arch users just install from it without giving it a second thought
I'm not sure that's true. Neither I nor most people I know who use Arch (granted, most of them are professional software developers) install software from the internet willy-nilly and without reviewing anything, if by AUR or "curl | bash", especially when on their main computers.
N=1 but I rarely install from AUR and I have been using Arch Linux for decades. Using "yay" is akin to doing "curl | sh". You should inspect the PKGBUILD at the very least, and I do not believe "most users" is correct.
Oh, and by the way, not sure how people miss these:
> Warning: AUR packages are user-produced content. These PKGBUILDs are completely unofficial and have not been thoroughly vetted. Any use of the provided files is at your own risk.
> Warning: AUR helpers are not supported by Arch Linux. You should become familiar with the manual build process in order to be prepared to troubleshoot problems.
"yay" is one of the most common AUR helpers, it requires two confirmations from what I counted. One of them is to inspect the PKGBUILD file, the other one is just to proceed.
Those users are going to learn some hard lessons, either in this incident or a future one.
Archlinux is a distro that’s designed for the user to control their own system, and the AUR is clear about what it is and the nature of the packages in it.
It's also good at being fairly simple and transparent, and having the only sane package format in existence (along with Alpine's apkbuild which is basically the same thing), but okay.
On one hand, the distro developers can’t really prevent people from, say, hitting their computers with a sledgehammer or something. So to some extent, the users have to be trusted.
But, maybe it would be best not to have “yay” available. Using something like AUR without reading the package build files is… pretty bad, right? And it is bad for the community, because if there is a convention of doing that sort of thing, it makes the AUR a good target for attacking.
Oh, I thought it was a package from the repo. (I didn’t use any of those third party package managers, just stuck to manually doing everything when using the AUR, which was fine because I used it sparingly).
> But, maybe it would be best not to have “yay” available. Using something like AUR without reading the package build files is… pretty bad, right? And it is bad for the community, because if there is a convention of doing that sort of thing, it makes the AUR a good target for attacking.
I don't remember how yay works but paru (another AUR package manager) displays the pkgbuild file before it will install.
