i’m trying to install the binance trading app on my system. the official downloads only have the deb and rpm formats, but it’s in the aur. is the aur version safe in the sense that it won’t steal passwords or something? you know since my money is in there lol.
First of all, there aren’t actually any packages on the AUR itself. It’s a repository with build scripts, and those scripts ─ specifically, the PKGBUILD file ─ pull in the actual source code packages (or binary packages if applicable) from wherever those are stored. So when it comes to the AUR, you can always look at the PKGBUILD file and check what it pulls in, and from where it pulls in those things.
Now, secondly, it has in the past happened that people who had upload access to the AUR were uploading corrupted packages ─ i.e. the PKGBUILD would pull in malware. Sometimes that was by accident ─ because the uploader hadn’t actually verified what they were linking to ─ and other times it was malicious, e.g. through a hacked AUR account. But in such case, the community quickly discovers such malpractice and will report it, and then the packages in question will be removed and the account of the uploader will be blocked.
So the general rule when it comes to the AUR is “Practise discernment, check the PKGBUILD, and be responsible.” But in practice, and for most part, one could say that the AUR is fairly trustworthy.
tl;dr
If the PKGBUILD pulls either the (actual) source, RPM or DEB package, and doesn’t do anything out of ordinary with it, it’s as safe as the original. Is the original safe?