@malwareminigun I think you might be misunderstanding this as being about package security, which I'm not sure anyone is discussing web-of-trust for? The recent push between projects like Vouch and humans.json has been to do maintainer-level trust analysis. I posit this will be ineffective.