Like many big changes, it's often better to do small-scale testing first. That gives a chance to learn more about the failure modes before switching to a larger-scale or full changeover.
If I wanted to make the change-over, I would start with the people with a lot of experience, the ones most likely to be paid to do this extra work, and the ones most likely to be interested in supply-chain security.
That seems decently well correlated with being the most popular downloaded packages, and I can't come up with a better initial sub-population.
If I wanted to make the change-over, I would start with the people with a lot of experience, the ones most likely to be paid to do this extra work, and the ones most likely to be interested in supply-chain security.
That seems decently well correlated with being the most popular downloaded packages, and I can't come up with a better initial sub-population.