> When I started using CL 20 years ago, libraries were stored on cliki and any malicious user could put malware there. Any source you asdf-installed was generally GPG signed and the installer automatically checked signatures against your personal trust-chain.

Which, in practice, involved downloading GPG public keys from cliki because I didn't know every single CL developer.