"It is not a good indicator of trustworthiness of the actual thing you download."
I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that ___domain.
That is my point. In the context of this discussion about downloading dependencies.
"It is not a good indicator of trustworthiness of the actual thing you download."
I just downloaded something with malware from github.com. I indeed wanted to connect to github.com and I trust that it is Github.com. But again ... it did not say _anything_ about the trustworthyness of the _actual_ thing I did, which was to download an asset from that ___domain.
That is my point. In the context of this discussion about downloading dependencies.