Are you honestly telling me that a package that was reviewed and signed off by three reputable developers is practically susceptible to "Scientific fraud"? If you do, then I can see why you think this problem is unsolvable.
You will never have a theoretically perfect solution to this problem, but guess what: turns out you don't have to. Even single-reviewer systems like linux repositories have proven to be vastly more secure than this crap.
This problem is absolutely solvable and eventually it will be. I just hope they solve it the right way.
>Are you honestly telling me that a package that was reviewed and signed off by three reputable developers is practically susceptible to "Scientific fraud"?
Yes? Especially if it's pulling in dependencies written by a bunch of other people because then it doesn't require malicious action by those three reputable devs, but merely negligence on their part in how those dependencies (and any updates etc. to them) are managed.
Of course negligence causes the system to fail. That's why people rely on REPUTABLE developers; that is, those who have a long history of doing good, thorough reviews. In practice, even single-reviewer systems have proven to be enough to keep entire package ecosystems secure (linux package maintainers).
I encourage you to do more research on this topic.
You will never have a theoretically perfect solution to this problem, but guess what: turns out you don't have to. Even single-reviewer systems like linux repositories have proven to be vastly more secure than this crap.
This problem is absolutely solvable and eventually it will be. I just hope they solve it the right way.