SSL cannot protect from MITM attacks as simple as breaking into a server, and replacing a server-side JS module with a malicious version.<p>Modern operating systems send binaries (packages) inside a digital signature chain of trust. If you download a secure operating system the first time, the system can then maintain a chain of trust to ensure future upgrades are digitally signed to be from Apple, Microsoft, Canonical (Ubuntu), etc.<p>The world needs the same level of trust for browser JS code. How to lasso the current JS world into a secure envelope, that is (for open source projects) verifyable from a PGP-signed git commit all the way through to the end user browser?<p>Anybody working on that?