I wish cargo went with crev instead, that has a much better model for distributed code audits.

https://github.com/crev-dev/

It's too bad MS doesn't own npm, and/or GitHub repositories. Wait

Nuget, Powershell gallery, the marketplaces for VSCode/VS/AZDo and the Microsoft Store too. Probably another twenty.

They collect package managers like funko pops.

I'm not quite sure about the goal. Maybe some more C# dev kit style rug-pulls where the ecosystem is nominally open-source but MS own the development and distribution so nobody would bother to compete.

I took those acquisitions and a few others like LinkedIn and all the visual studio versions as a sign that Microsoft is trying to own the software engineer career as a domain.

And it's a great idea, similar thematically to certificate transparency

How to backport security fixes to vetted packages?