Glyph@mattly I have so much to quibble with here, but I just have to endorse your key insight that IT IS NOT A SUPPLY CHAIN and the "supply chain" verbiage and assumptions are corrosive and they chafe a little more every time I hear them.
However, you *should* turn on 2FA on Github (and everywhere else) because of the position of social and infrastructural trust that your packages place you into. I really want better language to describe this role that isn't "supply chain" based, but I don't have it
All GNU social JP content and data are available under the