What does the supply chain security for open source software look like? I would expect more attempts to compromise open source projects.