Unfortunately, I feel the current system with METADATA.jl is too centralized.
(That it can take ages to get a new set of dependent packages or a new version of them registered is a large pain point currently)
I’m hoping that for Pkg3, a more decentralized trust system based on trusted organizations can be set up.
I’m not sure, but if a blockchain approach could be used for registering the trusted organizations, so that if one is later deemed untrustworthy, that can be revoked, might be a useful approach.