alt Hacker NewsI wrote a paper about how I think trust should work for software dependencies.
It very much builds on the hash-based cache lookup mechanism this paper calls constructive traces (in contrast to what they call deep constructive traces) to eliminate transitive trust relationships.