Is the idea then to also have globally unique names somehow? Otherwise, can’t I create a Haskell package called gcc, with version 14.3.0, and still pull off the attack?
EDIT: or is this specifically for fetchers that have hash versioning (like git), as suggested here?