Yes, the only reason this isn't happening in other distros is simply popularity.

Namespacing is the solution, and as mentioned in the article some ditros do indeed have namespaced user repos, like Fedora's Copr. The trust model of a flat namespace user repo is completely broken when the maintaining user can change at any moment.

Packman is more akin to rpmfusion, than AUR. OBS is the AUR equivalent for OpenSUSE.

> An Arch maintainer that I personally know once admitted that he rarely review upstream changes when bumping package versions.

Cool story bro. Assuming that's common, I have trouble understanding why Arch (non-AUR) is any more at risk than Debian--besides the latter being more popular and having more users/incidental testers, which is a real benefit if that's your goal, but has its own drawbacks (like older and known-vulnerable packages lingering for longer before updated releases are made available).

> it's not reasonable to ask package maintainers to spend all their time on those stuff, especially in this "Age of AI"

Aren't Debian and friends similarly at risk of this as well, then?

> security practices (such as TOTP, sandboxing browsers and video players, etc.)

I'm not sure if those are more or less prevalent on Arch; I know that many IDEs and GUI programs I've installed on Arch ran by default in Flatpaks or similar, and Debian/Ubuntu like Snaps, but I'm honestly not familiar with whether those ecosystems have significant and/or equivalent penetration in different distros.

I don't think Arch maintainers are responsible for auditing upstream. They package the upstream only.

> where packages are more thoroughly reviewed

Where are you drawing your conviction that non-rolling-release distro maintainers are doing a more thorough review of upstream changes?

> such as TOTP

What?

The AUR is not the Arch package manager or repository. The main Arch package repos are managed similarly to Debian, or Fedora, or whatever--caveat Arch's nature as a rolling release, but in terms of vetting and ownership/security, the approaches are similar. pacman installs from regular, real, vetted repositories by default. pacman will never install from the AUR. pacman is the official Arch package manager and the only one that is provided with the main Arch distribution/install instructions.

The AUR is, as many others have pointed out, a deliberately un-vetted pile of random Git repos. Arch deliberately doesn't even ship with a default one-click installer for AUR packages; their published guidance is "git clone this stuff from wherever it's hosted and build it at your own risk". Plenty of third-party, non-Arch-blessed tools turn that into a one-click process, but it's not "part" of Arch itself--at least not any more than, like, curl | bash or directions on how to add rando websites to /etc/apt/sources.list.d is part of Debian and friends.

I've used Arch as a daily driver for years. At peak, I've had five (5) total packages, with no transitives, installed from the AUR. Today I have one: sublime-text-4. It's perfectly possible--and extremely reasonable for many users, even power users--to live in an AUR-less world, or to use so few AUR packages that the guidance of "read what you're installing, doofus" is manageable and not onerous.

The AUR has consistently had warnings around it of 'verify the PKGBUILD', far more so than any other package repository that allows anyone to sign up. Probably the only notable difference is the ease of taking over an orphaned package.

If you want something from the AUR, just don't be lazy, read the pkgbuild.

I do. I just keep reading the diffs on the PLGBUILDs.

I do, I'm just choosy about aur packages I use

I still do, I just don't touch AURs anymore.

I was not affected

Is there another distro that has an equivalent of the AUR with handling you think is preferable?