Fifty Years of Open Source Software Supply Chain Security
https://queue.acm.org/detail.cfm?id=3722542
Debian’s relaxing of sshd’s dependency posture was a key enabler for the attack, as well as the reason its impact was limited to Debian-based systems such as Debian, Ubuntu, and Fedora, avoiding other distributions such as Arch, Gentoo, and NixOS.
A good reminder of what the status quo is for wrangling dependencies, and how it’s possible for us to be better by design, even if software is imperfect. 
reaction as in 