| I think it is pretty easy to see how this sort of thing happens: 1. Someone decides that we need inventory of all the libraries used (iirc requirement for some certifications and generally not a bad practice) 2. A system (/excel sheet) is enrolled where you have fields like $our_product, $library_used, $vendor_email 3. A dev, not quite understanding the point, dutifully fills in the data for the project they are working on 4. No-one reviews the data 5. Crisis strikes, so mass-send email to all vendors how they are handling it Problem here is around point 4.; for the process to work, someone should have reviewed the data to check that the used libraries are from vendors with some sort of support arrangement. I think the reply they provided is pretty promising, it makes it sound like they wanted to be a customer but are not only due an oversight. |
There is a large time gap between 4 and 5 - and it seems everyone forgets who they hired for that supply chain "analysis" many moons ago.