You list the packages and trust their authors. That's pretty much the definition of software packages - unless you've got a sandbox for dependencies. What other model do you have in mind?