Even the simplest sha256 check would improve the situation, if nothing else. The ReactOS Applications Manager is a lot more secure
by design compared to all of the afforementioned package managers just by the hash check alone.
+## So, don't share code at all?
+I never said that. There is nothing wrong with sharing code, but code should still be under scrutiny, be it open or not, it must be
+audited before being integrated into a project and re-checked on updates. Personally, my interests align for open source being a net
+positive - I share [scripts for projects I do](/ssh-alerts-landchad-style/) and even the [source code for this very website.](https://git.based.quest/?p=web-hugo.git;a=shortlog;h=HEAD)
+
+If you fork a project using the above advice, please respect the license terms, give credit where due and if feasible, open a pull
+request upstream with your improvements.
+
## Okay, but how does the industry "never learn"?
Simple, the package managers are still growing in popularity, there is no blowback, new developers are still being lead to use
NPM, PyPi, Rust crates, public CDN CSS/JavaScript libraries, etc. There is no practice of auditing the code you are pulling at all.