Before we had the fediverse - long before it - we had Usenet: people conversing globally in email-shaped units. It was shared and synched.
It was awesome. Questions answered, points debated, everything you wanted.
I don't think the fediverse is a magical solution, but it does have a familiar feel to it. Not as good when it comes to spelling, but "it's just the web," so the rules are maybe different.
This is fine.
It's a signed archive of deployable files along with meta-data. Usually a cpio archive (which is similar to a tarball) with that extra signature wrapper and meta-data (which, itself, should be a list of files and checksums).
A proper package can validate a project's installation, either from the local database or from remote resources, at any time, which gives positive assurance that what is installed is what should be installed.
As well, proper package info is exported by SNMP to be consolidated centrally and validate what is vs what should be installed at the group level.
TL;DR? Like a tarball with tracking info, signatures, checksums, and top-to-bottom validation. If it's a good package, anyway.