[Gowiem]

That's a reasonable take! Yes, there are tradeoffs and there are bad OSS actors (like Bitnami) that make it hard to state anything in this realm as a hard truth.

In this article, I'm fairly focused on the Terraform + OpenTofu IaC child module ecosystem in which I'm not aware of anyone who has done that sort of rug pull. I get your point though and that is why I included the "How you should evaluate good OSS" steps towards the end of the article. Hopefully that helps folks pick good packages...

[sshine]

In Terraform/OpenTofu you just run into unreliable providers, 3rd party providers that make your supply chain a little questionable, or providers with half-broken APIs that weren’t ever intended to be called via terraform. (How many hashpin their binary third party providers? https://github.com/nix-community/nixpkgs-terraform-providers... is still open after 2 years.)

Not just bad FOSS actors, things just fall apart in every ecosystem over time as actors stop contributing.

More dependencies = more problems. Long dependency chains means more dependencies. IaC generally doesn’t have long chains. But you can still depend on a ton of dockerfiles, images, charts, and the same software that gets packaged ends up with CVEs in images rather than at the library import level.