Hi Jan,
Thanks for your interest and work. I am currently quite occupied with getting ready
for my next year of studies, so I will only shortly address your points;
The short of it is that the dist tarball does not always contain the actual source code.
Examples of this include generated code, minified code etc.
The devDependencies are, in these cases, the things we need to be able to actually
build the package. Examples of this include gulp, grunt, and several testing frameworks.
For simple packages, the difference between a npm tarball and a GH tarball/repo are
non-existent. I made the choice to skip the npm tarball because I'd rather err on the
side of caution, and not let people download and run these non-source
packages by accident ;-).
I will have more time to see this through next week.
- Jelle