IMO package developers shouldn't be the ones managing package repositories (and duplicating ICAN's job when naming is concerned.)
Package management is an inherently political activity, and encouraging centralized package registries is, in my opinion, a bad decision in the long run. The security issues are one important problem, but sooner or later, somebody will have to deal with the "what do we do about excellent packages that many people lean on, but that come from a racist and fascist transphobe" problem. There's no good solution here, the choice is between potentially breaking a major part of your ecosystem or angering a violent pitchfork mob on social media, potentially with many corporations who are major ecosystem participants behind their backs. There are also other issues related to trademark infringement, patents, DMCA handling (and packages which are illegal to host in your jurisdiction but perfectly legal in the one of their developers), and important financial contributors bullying you into taking actions that serve their interests.
A better way is to follow the lead of Go (or at least pre-module Go) and use git repositories (but not necessarily with repository-based import paths) instead of your own package registry.
Package management is an inherently political activity, and encouraging centralized package registries is, in my opinion, a bad decision in the long run. The security issues are one important problem, but sooner or later, somebody will have to deal with the "what do we do about excellent packages that many people lean on, but that come from a racist and fascist transphobe" problem. There's no good solution here, the choice is between potentially breaking a major part of your ecosystem or angering a violent pitchfork mob on social media, potentially with many corporations who are major ecosystem participants behind their backs. There are also other issues related to trademark infringement, patents, DMCA handling (and packages which are illegal to host in your jurisdiction but perfectly legal in the one of their developers), and important financial contributors bullying you into taking actions that serve their interests.
A better way is to follow the lead of Go (or at least pre-module Go) and use git repositories (but not necessarily with repository-based import paths) instead of your own package registry.