Artem S. Tashkinov via devel wrote:
There must be a website or a central authority which includes known
to be
good/safe/verified/vetted open source packages along with e.g.
SHA256/384/512/whatever hashes of the source tarballs. In addition, the
source tarballs (not their compressed versions because people may use
different compressors and compression settings) and their hashes must be
digitally signed or have the appropriate PGP signatures from the trusted
parties.
Some parties must be assigned trust to be able to push new packages to
this repository. Each push must be verified by at least two independent
parties, let's say RedHat and Ubuntu or Ubuntu and Arch, it doesn't
matter. The representatives of these parties must be people whose
whereabouts are known to confirm who they physically are. No nicknames
allowed.
This is just fundamentally not how Free Software works.
Kevin Kofler