Easily inspect dependencies

I've just realized that I might have changed the security/threat-model, so my argument might be fallacious in some way (or it's not yet fallacious). Previously, my threat model assumed the registry is safe but the publishers might not. But after I said

Rudxain:

"web-view" of a file might not match the version downloaded through other means

I changed the threat-model to "not even the registry can be trusted". Or maybe the model was always that, but only now I'm making it explicit?

I'm pointing this out so that we're all in the same page, and because there's no explicit consensus (yet) on what the threat-model ought to be.

This is both a clarification and a question