Since we are starting a new ecosystem of libraries that is meant to live long, I wonder if we can put in some security mechanism as improvement. Currently the JAR ecosystem’s security leans on transport security via HTTPS. Sonatype OSS requires GPG signatures, but it’s not a universal requirement, and I don’t think people actually do anything with the signatures.
The TASTY ecosystem I propose should build the notion of GPG signature in, for example as part of the file header. This information should be used by the tooling on important checkpoints, for example the first time you downloaded the file, or when you re-compile the file to bytecode. For development purposes, this check might be disabled, but I think it would be safer if the default behavior is that we check the fidelity of the TASTY files.
What do you think?