The drug store was kind of like that in Endicott when I was a kid, when the druggist was out for lunch the sign asked you to put what you owed in the basket next to the register. I asked my Grandmother why people didn't just take stuff out of the store and she said, "Oh no, everyone likes the druggist, no one would want to inconvenience him like that." and so the community was small enough that the trust metric was simply we like the guy behind the counter.
It isn't like that today, and Endicott is quite a bit larger than it was then, and people are sadly a lot less neighborly than they were when I was a kid (could be nostalgia though).
I believe the trust issue was "resolved" by locking the store when the pharmacist was out, and eventually raising prices so that they could pay the salary of someone to be there to help.
And so it is with the PyPI community, everyone is trusting everyone not to do anything bad. And that is a perfectly reasonable strategy, you just have to accept the risk that comes along with it. Sometime in the future something bad could happen if someone chooses to violate that trust.
Now in a classic vulnerability analysis you'd ask "What is the motive or payoff?" You don't put a steel vault door on your home because chances are if somebody wants into your house that badly they are going to come through the window. You accept a certain amount of risk, perhaps you have a home safe for really valuable stuff and insurance for the rest.
It isn't like that today, and Endicott is quite a bit larger than it was then, and people are sadly a lot less neighborly than they were when I was a kid (could be nostalgia though).
I believe the trust issue was "resolved" by locking the store when the pharmacist was out, and eventually raising prices so that they could pay the salary of someone to be there to help.
And so it is with the PyPI community, everyone is trusting everyone not to do anything bad. And that is a perfectly reasonable strategy, you just have to accept the risk that comes along with it. Sometime in the future something bad could happen if someone chooses to violate that trust.
Now in a classic vulnerability analysis you'd ask "What is the motive or payoff?" You don't put a steel vault door on your home because chances are if somebody wants into your house that badly they are going to come through the window. You accept a certain amount of risk, perhaps you have a home safe for really valuable stuff and insurance for the rest.