You know a platform doesn't care about security if either:
a. They don't do end-to-end integrity and non-repudiation (not signed hashes of
files, not just https, not just hashes, but signed archives/files that can be verified as coming from the developer either with gpg, s/mime or x509 certs)
b. They allow packages to execute code or scripts on download or installation
And, they don't care about your time if they don't automatically offer a prebuilt, reproducible binary mechanism with a build-from-source install/verification option.
a. They don't do end-to-end integrity and non-repudiation (not signed hashes of files, not just https, not just hashes, but signed archives/files that can be verified as coming from the developer either with gpg, s/mime or x509 certs)
b. They allow packages to execute code or scripts on download or installation
And, they don't care about your time if they don't automatically offer a prebuilt, reproducible binary mechanism with a build-from-source install/verification option.