I wonder which of F-Droid or individual projects' GitHub profiles are more likely to be used in a supply chain attack. How does one mitigate against that from either source?