[troutwine]

> It's busy-work that provides no business benefit, but-for our supplier's problems.

I dunno, if I were paying for a particular quality-of-service I'd want my requests authenticated so I can make claims if that QoS is breached. Relying on public pulls negates that.

Making sure you can hold your suppliers to contract terms is basic due diligence.

[rjst01]

It is a trade-off. For many services I would absolutely agree with you, but for hosting public open-source binaries, well, that really should just work, and there's value in keeping our infrastructure simpler.