With central repo you may expect that they operate under increasingly stronger security standards and even if you missed malicious update, there’s higher chance that it was taken down by someone else. In decentralized environment your risks are higher and attention surface bigger.
The fact is that even the “canonical” CA’s can’t be automatically trusted, but here we are. CA is just one shitty implementation of WoT that has been near-universally imposed on us and most people simply accept as a necessity of life, but it isn’t necessarily the only way. It’s just how it is right now.
From https://www.hackerneue.com/item?id=44991636 :
> Native Containers are bare-metal host images as OCI Images which can be stored in OCI Container Registries (or Artifact registries because packages too). GitHub, GitLab, Gitea, GCP, and AWS all host OCI Container/Artifact Registries
So, packages there too would simplify.
Re: "RPM 6.0 Released with OpenPGP Improvements and Signature Checking by Default" (2025) and Sigstore and PyPI and SLSA.dev and key revocation transparency: https://www.hackerneue.com/item?id=45354568
Nerdctl supports various snapshot, lazy start, and distributed cloud storage container stores: https://www.hackerneue.com/item?id=45270468
Ruby has:
gem cert --build your@email.com
gem install gemname -P HighSecurity
sigstore-ruby: https://github.com/sigstore/sigstore-ruby
guides.rubygems.org/trusted-publishing: https://guides.rubygems.org/trusted-publishing/ :
> Trusted publishing is a mechanism for uploading gems to RubyGems.org without using long-lived secret credentials. [..]
> Trusted Publishing is a term for using OpenID Connect (OIDC) to exchange short-lived identity tokens between a trusted third-party service and RubyGems.org. This allows obtaining short-lived API tokens in an automated environment (such as CI) without having to store long-lived API tokens or username/password credentials.
By using signed packages. Why is this even a question.