There's an interesting question raised in an issue in the git-scm.com repo that I think would benefit from input from community folks here. The link is: https://github.com/git/git-scm.com/issues/1774#issuecomment-1504829495 but the tl;dr is: From a supply chain perspective, what are our criteria for linking to a third party's pre-built binaries from git-scm.com? Obviously we don't want to point people at malicious or trojaned binaries. But we probably also bear some responsibility for making sure the third party has reasonable security practices themselves. I don't have a strong opinion myself, and this is probably a giant can of worms. But it seemed like the kind of thing that should be getting attention from the greater community, and not just languishing in that repo (both to set a policy for new requests, but also maybe to evaluate existing binaries we point to). -Peff
