This is a credentials and access list oAuth style problem, and not really intractable.
For package X, I should be able to present my npm (homebrew, apt, nuget, etc) credentials with publishing rights for the package.
If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.
Yes, we still are trusting trust, that the owner of the package itself is not malicious, but that's not a sharp degradation from status quo.
This is not tractable, because there is nothing stopping me from copy-pasting someone else's project into my own namespace. Under most OSS licenses I have express permission to do so.
If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project.
Finally, the meatspace status quo is that it is totally acceptable to pay someone to find security bugs in someone else's open-source software, such as the Linux kernel.
> If you try to do some kind of dupe-detection, someone can use a lightweight LLM to make superficial changes until it's considered a different project.
Even if you don't, a lot of source code can be legitimately copied thanks to the GPL/MIT/BSD/etc. I'm allowed to take all of zlib and integrate it into my own project if I so chose.
Yup, I just added something to that effect, sorry if my edit arrived after you replied.
[dead]
You are talking about creating a big moat, which might be a worse precedent than removing fable access altogether.
And what if I’m a crazy person and want to fork the Linux kernel as I’m legally allowed to do?
> If package X is of sufficient public interest (user count, nature/sensitivity of user data, downstream distribution, etc), then the public interest + cryptographic credentials should permit access to best-available security auditing.
Your private fork doesn't meet the conditions described.
Not just allowed to do, encouraged to do as part of legitimate development.