Trust remains the Achilles’ heel of package managers: none I’ve seen truly nails it.
Problem statement: Lets imagine we have a package manager (PM). I want to install package (P). How can I be reasonably sure that neither P nor its dependencies do something against my will?
Can we do something to improve this?
I think, yes.
Luckily I know Adam, Berta, Claire whose opinions I value and whom I (somewhat) trust. PM, our package mangager, has the ability to add sources of trust. So I add Adam, Berta and Claire.
Now when I want to download/update package P, I will get the following report.
- Adam: Does not provide dis/approval of the package, but has some concern on some change in some dependency of our package.
- Bertas build server tried to (re)-build the package but failed building it reproduciably.
- Claire: Looked at the source code changes since the last version and noted that P does something new, potentially unwanted that is not described in the packages metadata.
In practice this could all amount to some aggregate score or criterias which can be evaluated programmatically so that I only get notified in cases that are relevant to me.
Note: I did not mention it explicitly in the text but all of this of course depends on cryptography.