This question is specifically about an AUR package (in this specific instance), but conceivably about bad packages in any repository. Considering I am using Manjaro with AUR enabled, I was unsure whether I should post this here or on an Arch forum, but I figured I'd start here. Anyway...
I run Mullvad VPN, and I have been installing it from AUR. In past 6 months or so I've installed it four or five times. In every case it has built quickly and installed quickly. The current package (mull-vpn 2019.9-7) had new dependencies, takes 10 plus minutes to build, is very CPU intensive, and ultimately fails. I visited the package URL (http://aur.archlinux.org/packages/mullvad-vpn) and it appears others have the same problem that I encountered, and the packager reports he has not had a successful built This package has been out there for a few days.
So my questions are (finally): How is it that problematic packages remain available for download in a repository? Or get posted there to begin with? And when/how do they get removed from the repository?