How do you fix a problem like open-source security? Google has an idea tho constraints may not go down well