I’m obviously not OP but the first thing that comes to mind are attacks like the one that targeted xz. Open source developers are generally overloaded between demands from the community and their regular lives, and they also lack the means and ability to check the background of everyone contributing code or vying for maintainer status. This creates the risk that somebody with bad intentions works their way into a position of some power over the code that gets merged. Bigger projects with strict governance and an active community of contributors (or funding for dedicated developers to maintain control and check outside contributions) have much smaller risk in this regard.
Firefox clones like librewolf and waterfox greatly increase the supply chain attack risk, but they seems more and more attractive every day
Why do they increase the supply chain attack risk?
I’m obviously not OP but the first thing that comes to mind are attacks like the one that targeted xz. Open source developers are generally overloaded between demands from the community and their regular lives, and they also lack the means and ability to check the background of everyone contributing code or vying for maintainer status. This creates the risk that somebody with bad intentions works their way into a position of some power over the code that gets merged. Bigger projects with strict governance and an active community of contributors (or funding for dedicated developers to maintain control and check outside contributions) have much smaller risk in this regard.