Am reading a "secure OSS supply chain consumption framework" that is making me wonder if framing "secure" and "consumption" as top-level goals creates a fundamental tension.

"Consume" implies "do not contribute" at a time when (as CISA and NIST both noted yesterday) deep security requires at least upstream support, if not active participation.