Artem S. Tashkinov via devel wrote:
There must be a website or a central authority which includes known to be good/safe/verified/vetted open source packages along with e.g. SHA256/384/512/whatever hashes of the source tarballs. In addition, the source tarballs (not their compressed versions because people may use different compressors and compression settings) and their hashes must be digitally signed or have the appropriate PGP signatures from the trusted parties.
Some parties must be assigned trust to be able to push new packages to this repository. Each push must be verified by at least two independent parties, let's say RedHat and Ubuntu or Ubuntu and Arch, it doesn't matter. The representatives of these parties must be people whose whereabouts are known to confirm who they physically are. No nicknames allowed.
This is just fundamentally not how Free Software works.
Kevin Kofler