"the underlying root cause of most supply chain attacks in this era seems to be expecting something of value in exchange of nothing."

I do not think that someone's status as a contributor to open source mediates their safety from supply chain attacks. Big companies that donate gobs of money get hit, and so do small operators who have contributed nothing are just trying out a hobby project.

▲

TZubiri an hour ago | parent [-]

No I don't think so either, nor do I think that my rule is a hard rule, it's more of a correlation:

If you pay for software, your supply chain risk is reduced, if you don't pay for software, your risk is increased.

	▲	asdfasgasdgasdg an hour ago \| parent [-]
		Okay, so we agree that everyone who uses open source is at risk, regardless if of they're a contributor. But maybe we disagree about this other thing. I'm not certain that closed source/paid software is less of a risk either. There have been high profile incidents lately that suggest this is not a sufficient defense. Personally I just think you're barking up the wrong tree with this pay/contribute=>reduced risk link. I don't think there's anything there. I will grant that you are at slightly less risk from software you know well and contribute to directly, but that's only of any help for very low level stuff that doesn't have many dependencies.