When your code has hundreds of external library dependencies, how do you make sure that the libraries you downloaded last month during development are exactly the same as the ones you downloaded today for re-building your code?
I think we should move towards reproducible builds (e.g. Guix) or use cryptographic signing (like Debian's APT) or use the "checksum pinning" method mentioned in >>38, which I think every package manager should support if they do not have any better methods.