I definitely don’t meant to over simplify — this attack was brutal and defeated massive amt of defenses built by extraordinarily good eng teams, who successfully protect >100B (world class leaders). But this particular problem (mutable software supply chain attack) is something I’ve been railing about for >12y (others for >50y) — and it’s frustrating to see it not taken seriously enough yet. When will we learn? I do mean that we need hash-linked, signed, and audited links between *every* piece of code. *every* mutable piece of code is an attack leverage point.