> But what if I need packages created and maintained by vetted, qualified devs rather than the unvetted randos that upload PGBUILDs to the AUR?

Pay for them or package them yourself. The nerve of being angry at people giving you their work for free and having the *audacity* of thinking you should have access to their real name, personal websites, LinkedIn and GitHub account.

The level of entitlement dripping from your comment is disgusting.

Wow. You are being very hostile, and make no mistake, that is on you, not on their comment. They made a point on trust which is very valid: just because someone generously does work doesn't mean you should automatically trust them for it if you know nothing about them.

You reading entitlement there and responding so hostile is on you.

I wouldn't auto update from AUR but you can easily download a snapshot of the PKGBUILD of particular software you want from the Arch website and verify that it isn't doing anything questionable (and fix it if it is) then build it yourself. It is a simple format and easy to review, it is rare to see patches or non-obvious build steps. Personally, I have a dedicated aur user with some aliases that grab a URL from a fifo and print it, download, and extract. There are also often packages that pull the latest version from git and can be easily updated to use release branches if you want. Because of the focus on upstreaming fixes rather than keeping patches you can also just build outside the package system and install to /usr/local and you will still benefit from the project likely having received patches to build on Arch (if they don't test it themselves). Even if not yet fixed upstream, any random issue you encounter usually already has a bug filed by an Arch user unless you are extremely quick about updating.

How exactly does any other distro solve that? Please don't tell me you genuinely find PPAs to be a better alternative...

If the PPA is run by the project then you don't need to trust someone else. Sometimes AUR packages are created by a developer for the project but since you aren't trusting a particular URL that is run by the project it is possible that that will change later without you noticing if you are auto updating from AUR.

Whoever makes the PKGBUILD, it almost always points to and builds from the original project's git server in a client machine. You can verify that from the package's AUR web page.

And about project maintainers running PPAs - Say you're a dev, and you want to package binaries for your software. What's easier, whipping up a quick PKGBUILD once and putting it in your git server, thus allowing anyone to get the latest updated build at anytime, or setting up accounts and painstakingly compiling and updating each build to a PPA? Are you aware of the hundreds of abandoned PPAs that lie orphaned after maintainers gave up in frustration about how cumbersome they are?

I haven't looked that often since it is easiest to try to avoid software that isn't in the main package system, but I rarely see PKGBUILD checked into the upstream project. It is more common in my experience that an upstream developer manages the AUR package on the Arch website, not as part of the project. You can verify AUR packages before using them (this is what I do) but it is an extra step vs. a maintained PPA. AUR packages can be unmaintained as well. No matter the system the best situation for users is when the software you use is in the main package system.

Well if you're avoiding software that isn't in the main package system then it doesn't make a difference either way - the official Arch repository has almost everything the official Debian/Ubuntu repositories do that isn't distro-specific.