@jcoglan Do you think the trusted publishing stuff moves the needle on this front? I recently switched a couple crates.io libraries of mine to use trusted publishing and while it's very cool I can just press a button on GitHub to make releases without needing to keep a token around, it also elevates a GitHub compromise immediately into a package compromise? All of this feels like an endless maze...