Compare the security resources of the median OS publisher with the median go package publisher.
An OS update from Debian, Apple, or Microsoft is not the same thing as a new version tag on a random go CLI app made by one person (or even a team of people).
Furthermore, while it is becoming much more common for OS package managers to autoupdate apps, it still isn’t the default state of affairs for most apps. OS updates are a different matter.
In any case, even without these comparisons, handing RCE to 20 organizations/developers/publishers is worse than handing it to 1 or 2.
An OS update from Debian, Apple, or Microsoft is not the same thing as a new version tag on a random go CLI app made by one person (or even a team of people).
Furthermore, while it is becoming much more common for OS package managers to autoupdate apps, it still isn’t the default state of affairs for most apps. OS updates are a different matter.
In any case, even without these comparisons, handing RCE to 20 organizations/developers/publishers is worse than handing it to 1 or 2.