Comment by calpaterson
10 days ago
> The only oversight I think in the proposal is staggered distributions so that projects declare a UUID and the distribution queue progressively makes it available rather than all or nothing
That is indeed an oversight - I wish I had thought of that idea!
No worries. Feel free to popularize it. I’m more worried about supply chain security than credit :).
Also rather than a UUID a hash of the package name is probably sufficient for back compat and avoiding people trying to rotate UUIDs to get sooner / later distribution.