Reply to post:

Google's got a plan to secure software supply chains

iron

That is all very nice but has one fatal flaw, you have to trust Google.

What is to stop a "rogue engineer" from tracking who is using these repos? Or even adding tracking code to the packages themselves?

Then you must consider the lifecycle of the average Google product.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon