[nine_k]

Github's CI is a fine way to build binaries.

Github's CDN is a fine way to host binaries in a highly available manner which is also not easy to tamper with.

GitHub's project page gives instant access to source code, and to a rich README.

I don't see how Github in this regard is any worse than npm or pypi.

What I would appreciate is a way to sign binaries the same way commits are signed, attesting that it was built from a particular commit, and a particular state of dependencies, by a compiler isolated from the internet. GitHub's CI runner might sign it with some private key, while a public key to check signatures would be available from github.com.

Of course that would require some cooperation from code authors, but for important code that should be manageable.

[bin_bash]

with npm:

    $ npm install foo # or
    $ npx foo

with github:

    Find repository
    Click latest release, downloads to ~/Downloads
    $ tar -xvzf ~/Downloads/some.tar.gz
    $ cp foo/bin/foo /usr/local/bin

[detaro]

As clearly laid out in the article, the rust equivalent to npm install is

    cargo install foo

The entire point of providing downloads is for people who don't have dev tools already installed.