@mjg59 Like I look at this and the problem I see is not "you can use M4 to inject code into a tarball from github" but rather "our entire supply chain is a hodgepodge of dissimilar parts awkwardly gasketed together, and someone found one of the many parts of that supply chain that is out-of-sight/confusing enough that a Bad patch could be put there without anyone noticing for quite some time"