> It’s about as non-approved as ad hoc shell scripts.
That's not a fair comparison. There's a big difference between your own ad hoc shell script (or command line or whatever) that you fully understand, and downloading and running third party code without any kind of audit.
Meanwhile, the industry keeps talking about "software supply chain".
`src/gam/__init__.py` alone is over 3 MB of code that's not from `google-api-python-client`. Combine all the ad hoc shell scripts I've ever written and it probably wouldn't be that much.
That's not a fair comparison. There's a big difference between your own ad hoc shell script (or command line or whatever) that you fully understand, and downloading and running third party code without any kind of audit.
Meanwhile, the industry keeps talking about "software supply chain".