upvote
deleted
reply
Exactly this.

The correct way is to have M of N signatures on specific package manager pinned versions. And you trust the auditors to look at each new version, of a well-known package.

We should start a project and get it funded, to do just that. The money can go to LLM tokens for audits, at least, and hosting the multisigs and the package managers.

Anyone want to partner on this? See my profile on HN and email me.

reply