OWASP has published a new Software Component Verification Standard. Part of it is a chapter on package management, which includes 19 different aspects:
I wonder how the Nix ecosystem fares here, surely it must be near the top - but perhaps there are some aspects that could be improved. Anybody else looked at it?