One simple example was that I couldn’t install dependencies from public registries such npmjs (npm) or pypi (pip). It took an approval process for an internal team to review and clone packages onto Google’s internal registry.

On the other hand, things like deployment and monitoring were so trivial and magic.

This was circa 2015.

Given supply chain attacks, that seems not only reasonable, but essential.

That's kind of standard at big companies. Even at a small scale, it is beneficial to mirror every external dependency.

The review part is the pain point far rather than the mirroring.

It is a pain point, but relevant for legal liability and tracking security concerns, else you quickly have wild west where it's unclear what kind of problems affect which team and how

Yeah, I kind of understand what that comment is saying but also feel like it can be interpreted in so many different actual ways that it's practically useless.