Comment by st3fan

It is not about the domain.

"It is not a good indicator of trustworthiness of the actual thing you download."

I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that domain.

That is my point. In the context of this discussion about downloading dependencies.