alt Hacker News> You cannot offer a taxi service in a car that is not fit for the road, and then just shrug when it crashes a people get hurt.
The problem is that there's no overt way to tell whether the "car" (code) you're looking at is someone's experimental go-kart made by lashing a motor to a few boards, or a well tested and security analyzed commercial product, without explicitly doing those processes on your own.
The problem is all the go-kart hobbyists who make moderately popular go-kart designs end up being asked for all sorts of commercial territory requirements.
The people on the consuming end think "reliability is their job!" and try to force all their requirements and obligations onto the go-kart makers, which usually doesn't end well.
Replies
One could have different tiers of repository for different levels of trust.
In arch Linux, I trust the base repositories more than AUR.
Important security packages should be audited by 3rd party researchers and their results shared. For example https://github.com/RustCrypto/RSA?tab=readme-ov-file
If you’re using a security package and it isn’t either a shim over an existing API (eg porting a C-library to a non-C language) or it fails to provide evidence of independent audits, then steer clear or it.
Most other domains are generally much easier for the developer to audit.
However I will say in an age of AI, it will become much easier than it already is to inadvertently pull bad packages.