Somebody needs to actually monitor all those logs and find bad content. Sounds like the same faulty assumption that thousands of people are looking at the source code of open software finding bugs. This simply doesn’t scale.https://twitter.com/__agwa/status/1075431570956201984 …
Certificate Transparency has shown that this pessimism is misguided - people really do monitor CT logs. Same will be true with the Go module notary; for one thing, monitoring can be entirely automated (unlike bug finding).