In general, there is a huge problem with how we distribute software, and package managers are even worse.<p>We basically only look at the top level of things, when instead, every branch in the tree should have a bunch of security people watching it, like editors watch every change to a Wikipedia article, before it goes out.<p>Corporations using automation and technology have hijacked our "Free Speech" ideals, and caused us to think that it's a good thing when one party can push out a tweet to 5 million people at once, or a single corporation can buy up local stations and enforce talking points on journalism. That's not freedom of speech at all. That's just a preference for maintaining entrenched power because someone "amassed it voluntarily"... and this mentality extends recursively all the way down ... Take for example the first Twitter mega-celebrity. Ashton Kutcher himself amassed it voluntarily because he was chosen by TV and movie executives once upon a time, to be used in mass media, and their platforms were "voluntarily" built in the past, from the invention of the TV, and people subscribed "voluntarily", and Twitter was built "voluntarily" and funded by VCs voluntarily, and so on. And the end result is, some power (in this case, audience) is concentrated in the hands of a few people, who disproportionately act as kingmakers for various other people and ideas. That's also how we get "too big to fail" issues in telecoms, banks, and so on.<p>In science, things work differently. Arxiv.org exists but peer review is a big thing. Wikipedia has multiple distrusting parties for each large article. So does Bitcoin (presumably, anyway).<p>In general, the more value (votes, data, code, money) accumulates in one place, the more "checks and balances" you should have for each release. You can't just have someone push out something in the middle of the night and have everyone pull it into their codebase via npm and then "launder" the (malicious) bugs through more and more releases. You need it to go through "peer review", and not on the top level of an entire tree, but rather, for each subtree there need to be people who understand what's going on.<p>THAT is a society that's far more secure, that can't be easily backdoored by some hackers paid by a state to find vulnerabilities. And the capitalistic system we have today is pushing the other way (closed source, centralized databases, extract rents reward early investors through information asymmetry, etc.) and the result is stuff like SolarWinds, Equifax hack, Yahoo hack, etc. etc. etc. We're finally starting to put a tax on storing data without an explicit purpose, hopefully that will make it expensive enough that people will be custodying their own data at least. But when it comes to "broadcasting" things, I'd rather have less "real time pushes" and instead slow things down until we can "run byzantine consensus" gradually releasing to the public via concentric circles.<p>The full solution would involve Merkle trees where some security organizations and researchers / peers (anonymous or not, but with reputations) sign off on each changeset. Instead of just Apple or something. Git + Verified Claims can already support most of the infrastructure, btw.