This is a universal problem in most of package repositories regardless of language. PKI is difficult, and for it to work the users have to do some homework and place trust somewhere.
In a healthier OSS ecosystem, we'd have people counter-signing packages after they've vetted them. If Google approves something through to production, then it's probably okay for you too.
This wouldn't be a bad extension to the GNU license really - requiring reciprocal review.
Yeah, that could work, at least for larger orgs. Not so sure the majority of users would comply with such sn extension, or even have the knowledge to review for eg. security issues. Having a working PKI solution that could work regardless of ecosystem would be awesome. If nothing else, I can research which key eg. Microsoft uses, and then allow anything signed by that key as an initial threshold.
Making it a requirement of using something commercially would add a lot of transparency though. The concept of "software bill of materials" has increased interest now, and this would be a part of it: if you're using something then you sign it and publish the signature which then declares an acknowledgment that it was reviewed in some way.
Absolutely, but I fear such a solution would lead to a lot of people signing just to be compliant, not beacause they did a thourough job reviewing. If we could connect it to a reputation somehow, it might have something going for it
