Do you want to stop "supply chain compromises" as a company? Here's a very simple way to do so: pay a stipend to a maintainer of something you depend on.
You don't really need dependency tracking tools. You don't need to exactly parcel out the 'right' proportionate amount of money to every maintainer. All of that operational complexity is unnecessary.
It doesn't even matter *which* maintainer you pick, as long as it's one who isn't receiving a stipend yet, and you pay them enough to constitute a salary.
It will cost you exactly one developer salary. If every able company does this, the problem of supply chain compromises is solved tomorrow.
All you need to do is simply *do it*, and talk about it so that other companies will too.
@joepie91@social.pixie.town while this would make it less likely it would in no way stop supply-chain attacks.
@tomasekeli The toot is deliberately simplified; the unstated context is "... within the trust model that corporations typically operate in" (which is based on reputation and popularity, and that is where 'insufficiently supported maintainers' are the #1 risk factor).
There are other types of supply chain compromises, but they are often effectively prevented by existing mechanisms already; it's specifically this one that is near-completely immune to those mechanisms.
