@GossiTheDog Fair. Certainly their plan outlines some good improvements they can make to their processes.
A glaring omission from their plan is signing of their content updates? Surely they should be signing anything they load into the kernel? Or do they already sign their files?