Secure software distribution is a hard problem. The thousands of different software update systems in use today, most of which are vulnerable to a myriad of attacks that leave the end users potentially vulnerable to compromise, are a testament to this fact. With the explosion in popularity of package managers and distributors such as RubyGems, PyPI and npm, more and more of our applications are dependent on small, reusable, modules, developed by thousands of different developers, and distributed by infrastructures outside of our control. Given that distributed systems are only as secure as their weakest link, it only takes compromising one of these modules to be able to compromise the entire infrastructure. It is time for software developers and publishers to start operating under an attack model that considers the distribution infrastructure itself as being actively malicious, and to start following best practices concerning role responsibility separation, offline storage of signing keys, and routine rotation of signing keys.