And while I do think code signing alone would’ve helped in the recent issues, what I’d like to see is a sort of automated package scanner that searches for this kind of malware and then publishes a signed report enumerating the things verified alongisde package pypi metadata.
Then I could verify both the package and the scanners result and decide to update or not.
i know this is day dreaming cause who would sponsor scanning and attesting every open source project, anthropic?