brainwane, (edited ) Some enterprises, in the wake of #xz, are focusing on their metrics for #opensource dependencies they ingest..... rather than investing money, developer time, or other resources* to directly support maintainers.
But as I mentioned to a friend recently:
If downstreams do not provide at least as much support as a motivated attacker would, we're likely to continue to get these kinds of outcomes - & to be deceived, as attackers shape their efforts to trick the metrics.
Add comment