I think the #xz incident is teaching us that our infrastructure is dangerously fragile in the face of well-organized/funded attackers. The response isn’t “try harder” or “donate to your OSS project”, it needs to be institutional, professional, and at scale.
So, here’s my proposal, called “OSQI”, aimed at starting a how-to discussion: https://www.tbray.org/ongoing/When/202x/2024/04/01/OSQI