Thanks for the feedback @ckneale. Such a distance check shouldn’t be too hard to implement, no? Name revocation should also be a thing then though (on package deprecation)? That might add to the implementation complexity.
I like that idea @chakravala! That would enable some ‘karma’-based system and such local settings could substantially reduce the attack surface. E.g. only trust: this list of packages I use commonly.
Additionally like for Deb packages allow for adding of cryptographic signatures.