Report How do you verify a package is not malicious? in GCentral Posted September 17, 2020 Howdy ya'll Thanks for your input. Please keep it coming! I'm trying to minimize my interactions with this thread so as not to inadvertently skew the conversation. I love the technical aspect of this conversation. Sounds like so far in this conversation we're exploring the "How can we do this?". I'd like to propose the additional following set of questions to summarize the virtual coffee conversations we've been having and hopefully merge the conversations (mentioned by Stagg54) in the first post To summarize, here is the logic \ questions that have arisen: The primary question: "How do I (as a consumer of code) prevent unwanted effects from code I download?" Leads to responsibility: Who is responsible to prevent unwanted effects of code? How do the responsible parties prevent unwanted effects of code? There seem to be two ways to prevent unwanted effects: Prevention: don't distribute bad code Mitigation: As a user, I have bad code. I need to remove it. Mitigation spawns two more questions: How to notify people so they can remove bad code? Should people be forced into a system so they can be notified? I'm not suggesting answers to those questions, but want to also throw them into our calculus. Please feel free to comment on those questions and keep the conversation rolling.