By all means invest in lifecycle security tools, BOMs are nice and package signature checks keep out the simple attacks. But they don't solve the deep social issue of mass collaboration at a planetary scale seems to be beyond the capabilities of our fragile brains. We are too easily taken in by things which appear to be a person which shares our values. Modern open-source leadership is effective a mental DDoS, and if that breaks down then what is going to replace it? If you think the AI coding models are advancing so well that we'll all soon just be coding via prompts alone then okay, I strongly disagree but that's at least a consistent world view. If not, genuinely where do we go from here. Having a thousand little webs-of-trust is not functionally better than having a million random "people", and that's being extremely generous on the scale of those webs.

I don't care if Dunbar's Number is real or what the value is but the slippery slope has slid, whatever the limit we are over it.