Hello. You missed the point I was making drastically. Of course for software that I build personally I can do all that, but not for all the random stuff in my system that I’m trusting maintainers to package for me, or otherwise good PKGBUILDS in the AUR. You physically cannot have the bandwidth to be on top of these supply chain issues all the time.
replyAlso, semantic versioning is not some golden goose that fixes this issue, update embargoes help, but that doesn’t require semver. Vendoring dependencies is not a scalable solution for all the software people use.
> You physically cannot have the bandwidth to be on top of these supply chain issues all the time
reply> semantic versioning is not some golden goose that fixes this issue
Nothing is a golden goose, however semver is designed to limit the scope of incoming changes so you have a chance of staying on top.
> Vendoring dependencies is not a scalable solution for all the software people use.
There are literally three ways to deal with these supply chain issues:
1. Allocate the bandwidth yourself
2. Buy that bandwidth
3. Yolo
What a weird way to virtue signal.
reply