I feel like a good business would be offering access to an NPM / RubyGems server that only hosts packages that are signed / vetted by that company (and charging money for access of course). I think this is basically the RedHat model (but they only do RMPs)
19:11 PM - 26 Nov 2018
I definitely think digitally signed packages would be a good way to go. I think having a central repository for packages may eventually cause issues because considerations like who actually owns the hosted data, who can rightfully access the data, does charging to access the packages violate the licenses, etc? Maybe just a service that doesn't digital signing and authentication, so each module can be checked before being loaded, or create some sort of warning message should the check of the digital signature fails.
They've recently started working towards that goal: blog.npmjs.org/post/172999548390/n....
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.