Ok? Not sure what a package manager can do about the fact that eventually you want to run the things you install.
Have any kind of provenance. eg like Debian has for 30 years. Key signing in person etc
That has also been implemented recently. With staged publishing the author must verify a new release with 2FA so automated attacks dont work anymore. Some human in the loop must verify a release.
Have any kind of provenance. eg like Debian has for 30 years. Key signing in person etc
That has also been implemented recently. With staged publishing the author must verify a new release with 2FA so automated attacks dont work anymore. Some human in the loop must verify a release.