Opening this issue to note the existing recommendations in OSSF's [implementation guidance for build provenance](https://repos.openssf.org/build-provenance-for-all-package-registries) > The registry web UI should convey to consumers that a package has provenance, but not that it is automatically trustworthy. Remember, build provenance just provides links back to the source code and build instructions. Package consumers still need to follow those links to assess trustworthiness. We recommend providing literal links back to the source code, build instructions, and transparency log entry of the build provenance. Here is what that looks like on the npm registry: 