It’s abundantly clear from participating on the issue tracker that these weren’t “real developers” commenting. They were hateful people. The result of all this BS is a less secure implementation (separate plugin with weak IPC guarantees—I know first hand as I was one of the people trying to make sure that this new plugin direction had at least a modicum of security, despite disagreeing with the direction). No actual security or compliance people were outraged, because all their tooling is sufficient to properly manage iterm2 in regulated environments etc. etc. and no part of any security/IT professional’s or compliance officer’s security model depends on how many different binaries an application is split into. It was all hyperbolic misguided rage to the point of being harmful to the actual security posture of the app nonsense at its worst.
