Thinking further…
We don't like paying for our software dependencies, do we. We really hate it. We don't like paying the people who write the things that entire worlds of software depend on. We demand things from them to protect ourselves from *our* supply chain deficiencies without offering them anything in return.
Example: every somewhat off-target demand that maintainers of something popular turn on 2FA. Is 2FA helpful? Yes. Does it absolve you of responsibility for your own software supply chain? No. See https://blog.ceejbot.com/posts/multi-factor-panacea/
That blog post gives you a first take on what my response to Tim Bray's post is going to be.
1/N