How do we prove the provenance of a package? Who owns it? Can someone else overwrite it with a modified version? What is to stop a 3rd party uploading a tampered package?
Okay a lot of questions but I have been looking at a number of .NET package managers over the past few weeks (only recently discovering Nu) and then voila nupack is born.
I am excited about NuPack (Nu had a delivery infrastructure, WebGac had VS integration) but the quality of packages is of importance to me (and others in this space according to email conversations I have had).
We are dealing with a binary downloads rather than source so subtle bugs introduced by 'evil' 3rd parties is an issue to me.
I'd prefer that the packages are grabbed from the OSS sites themselves i.e. the packager could join the project as a contributor and maintain the package creation such that it is built as part of the OSS delivery mechanism. Even sign the package in some