Comment by packattest

One thing I’m curious about:

We’ve focused a lot on provenance (where artifacts come from), but less on verifying what actually gets published.

Feels like both are needed — provenance + explicit artifact review.

Curious if others have seen similar issues in other ecosystems (pip, cargo, etc).