The normalized lack of care about supply chain integrity is going pretty poorly, as any read of recent headlines indicates.

Stagex has a 100% full source bootstrapping, and reproducibility requirement that at least two maintainers must prove and sign for every package.

Stagex is also very heavily used and relied on in high value financial and scientific applications where trusting a binary some internet rando compiled is not even remotely acceptable.

Haskell and Ada are locked out of any high security applications until they are bootstrappable.