Google wants new rules for ‘critical’ open source packages - These would make supply chain attacks more difficult and generally improve security throughout the ecosystem, but the rules are onerous on the package maintainers - The article notes that open source should be more secure, but that assumes that people are actually looking at the code, something that occurs to me now is that it also assumes the people looking at the code are the ‘good’ guys, but isn’t it much more likely that the people looking at the code in a lot of detail are mostly going to be the so called ‘bad’ guys, where’s the incentive for the ‘good’ guys to be thoroughly examining the code?www.zdnet.com #