> The more malicious seeds are planted, the higher the likelihood that one of them will be pulled into a real-world build pipeline.
Sure, but you still need to show the impact. Not all "seeds" are equal; that's why we categorize attacks as either opportunistic or targeted (and within that, there's the kind of "lazy" opportunism of package spam versus "motivated" opportunism of trying to trick developers into using a specific compromised package).
(And to be clear, I'm not ignoring the risk here! I believe we can do better about qualifying the risk, which does exist.)
In a world where PR-focused organizations (not saying it's right or that's how it should be, but that 'it do be like it is') actively work to hide breaches on occasion? Should they not publicly success a win and support 'open source' while celebrating a dub, while giving them a sales tool / credibility?
Sure, but you still need to show the impact. Not all "seeds" are equal; that's why we categorize attacks as either opportunistic or targeted (and within that, there's the kind of "lazy" opportunism of package spam versus "motivated" opportunism of trying to trick developers into using a specific compromised package).
(And to be clear, I'm not ignoring the risk here! I believe we can do better about qualifying the risk, which does exist.)