What I really miss is a common format for package managers with a uniform, simple and well documented API and a fully FOSS implementation. Dependency resolution and garbage collection would probably still be unique to each format, but maybe even this could be unified for some cases.
This way you would only need one service for all your needs. Everyone could host their own proxy/cache/mirror/repository. BOMs would be simpler. CVEs easy to attach and query. Tools could handle multiple different package types. Auth could be shared and simplified as well. Less reliance on a single provider. Projects with multiple languages would be easier. New tools that need packages would not need to invent everything from scratch.
This of course only slightly helps with the trust problem, but at least offers a common way to attach things like CVEs or if someone has reviewed a package/version and share some effort between different platforms. In the end you still need people to put in the effort to actually review the packages.
> What I really miss is a common format for package managers with a uniform, simple and well documented API and a fully FOSS implementation.
RPM? You'll never get everyone actually on a single format, but even then between LSB and just its actual popularity it has support on most distros (even if only by way of converters like alien)
RPM seems to be focused on Linux and globally managing the whole system though, but yeah, something like that. Probably would require to work more like in cargo or npm with a per-project list.
Agreeing on one format is kind of the point. I know it is difficult, but I think it is possible if at least a few implementations agree on something. Maybe some kind of "backend" like LLVM which could be used by cargo, npm, maven, etc. to configure their resolution strategy. Probably only a dream though.
This way you would only need one service for all your needs. Everyone could host their own proxy/cache/mirror/repository. BOMs would be simpler. CVEs easy to attach and query. Tools could handle multiple different package types. Auth could be shared and simplified as well. Less reliance on a single provider. Projects with multiple languages would be easier. New tools that need packages would not need to invent everything from scratch.
This of course only slightly helps with the trust problem, but at least offers a common way to attach things like CVEs or if someone has reviewed a package/version and share some effort between different platforms. In the end you still need people to put in the effort to actually review the packages.