Generally yes, but ripping all conditions out of SECURITY.md should at least raise an eyebrow?

Nobody was watching. Plain and simple.

If you have commit access to it, and nobody is there to see, nothing stops you.

Yes but if that’s the sentiment how is this not as problematic as the npm ecosystem.

It’s similarly problematic but on a somewhat smaller scale and with fewer levels of nested dependencies.

I’m not sure this would be smaller scale? At least probably too early to tell?

I just mean fewer total packages and fewer maintainers. Linux libraries and packages don’t have the culture of making a package out of a single small function and importing it everywhere, which is part of the reason why NPM is a good case study in opportunities for supply chain attacks.

Yes but the distribution likely depends on it, making it wider spread even without the middleman dependencies.