Oh. And before any of you lay any blame on the maintainers of these open source project.
How many of you have blindly installed stuff by running curl | sudo bash ?
Did you verify the binaries and the code the bash script ran/installed? How did you confirm trust on those binaries?
Xz is the oss supply chain attack we know about. You can guarantee there are many many more. How we manage installation, and dependency's should perhaps have a little more thought...
