Managed laptops do not make secure maintainers

After a supply-chain incident, companies reach for the control they own: the device. They lock laptops down, ban personal accounts, restrict tools, and tighten policy.

That response can reduce risk. It does not secure the part that failed.

Open-source incidents do not usually begin with someone using the wrong brand of laptop. They begin with compromised accounts, weak release paths, bad credential hygiene, missing recovery plans, and maintainers who never got taught how GitHub, npm, OIDC, and publishing controls fit together.

If you secure the device and ignore the maintainer, you leave the real problem in place.