Was waiting for the first person to point out that what you get when you visit a url is not guaranteed to be the exact same on a subsequent visit.
Not seeing how url-based package management is safer when a package host can use a server that sends a special payload to certain requester ips, headers, cookies or referrer.
Until there are firm guarantees around what you get from a url, a trust-able third party is needed, even if just as an option.
Not seeing how url-based package management is safer when a package host can use a server that sends a special payload to certain requester ips, headers, cookies or referrer.
Until there are firm guarantees around what you get from a url, a trust-able third party is needed, even if just as an option.