Comment by charcircuit

Google for example uses a fork of Ubuntu. When someone decided to compromise Google employees machines via a fake npm package they were able to do so successfully. When they reported this to Google they said it was okay for employee machines to be compromised and that it was part of Google's threat model. While this may be true for large companies I don't think the French government is ready to handle such a security model.