> It's not really a supply chain when it's still yours.

I don't personally buy that, they offer a package manager in the form of nuget for example, if their products there are compromised, they're well withing normal reach to block THEIR packages, but why would they need to block the rest ?

Maybe I'm missing something dumb