<p>Few of the mooted software-supply chain defences would have prevented this, as the attacker was a (relatively) long-term maintainer, was not averse to using sockpuppet accounts and was careful to hide their exploit from automated tools. </p><p>Worse, many of the solutions being offered increase the workload on maintainers. But maintainer burnout was a key factor in this incident. We need to find a way to support maintainers while being proscriptive or parentalistic.</p><p>3/n</p>