> It's busy-work that provides no business benefit, but-for our supplier's problems.
I dunno, if I were paying for a particular quality-of-service I'd want my requests authenticated so I can make claims if that QoS is breached. Relying on public pulls negates that.
Making sure you can hold your suppliers to contract terms is basic due diligence.
It is a trade-off. For many services I would absolutely agree with you, but for hosting public open-source binaries, well, that really should just work, and there's value in keeping our infrastructure simpler.
It's busy-work that provides no business benefit, but-for our supplier's problems.
> specific outbound IP addresses that they can then whitelist
And then we have an on-going burden of making sure the list is kept up to date. Too risky, IMO.