Comment by rectang

From upthread:

> This is assuming that the audit consists of validating dependency authorship, and not the more labor-intensive approach of reviewing dependency code.

So, obviously: authors.

I took your reply of "hard no" to be a rejection of validating authors as sufficient hardening and an assertion that only line-by-line code review meets your standards. Fine, but if your answer is always going to be "doesn't matter, not good enough", we can't have a reasonable conversation about how best to validate authors.