I remember a few months ago there was a discussion[1] here about how fossil, the VCS for sqlite, should bring in a dependency on mermaid charts already.<p>Nothing against mermaid, but I guess supply chain attacks are hard to conceptualise until they happen. When we're shortsighted we risk our mitigations against vague but serious threat models losing out against convenience.<p>[1]<a href="https://news.ycombinator.com/item?id=38886344">https://news.ycombinator.com/item?id=38886344</a>
Most of the details are out there but …<p>> <i>in that he had apparently downloaded a copy of everything</i><p>… is a day in the office? I've done this, particularly at places that are "one repo == one project" organized (i.e., <i>not</i> monorepo): e.g., if I make a breaking change to a library, I'm going to update all the uses of that. Still to this day, the easiest way to do that is locally, with command line tooling.
The next time something like this happens it will be a distribution packager (RedHat, arch, etc).<p>They'll just release a package that has extra code than a clean build from source.
I don't doubt that this happened, but if you use e-verify and fill in Form I-9 how does this happen? I'm in the middle of hiring an F-1 student on OPT and I need to look at his EAD and verify it's not fake according to my lawyer. So I do. Nice and easy.