docs: slide 29 Galaxy — minimal install example, trusted-source guidance in notes

- replace specific geerlingguy example with generic
  ansible-galaxy install <namespace>.<role>
- move trusted/official/certified supply-chain guidance into speaker notes

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

index.html

@@ -1146,12 +1146,16 @@ finistdevs-web : ok=4  changed=3  unreachable=0  failed=0  skipped=0
       <li><strong>Ansible Galaxy</strong> — 10,000+ ready-made roles and collections</li>
       <li>Don't write a playbook to install Docker from scratch — someone already did</li>
     </ul>
-    <p><em>Just <code>ansible-galaxy install geerlingguy.docker</code>.</em></p>
+    <pre><code class="language-bash" data-trim>
+$ ansible-galaxy install &lt;namespace&gt;.&lt;role&gt;
+    </code></pre>
     <aside class="notes">
       <ul>
         <li>Galaxy = the package registry for reusable roles/collections.</li>
         <li>Don't reinvent common setups — pull a battle-tested role (geerlingguy is the famous example).</li>
-        <li>Huge productivity multiplier; just vet what you import.</li>
+        <li>Huge productivity multiplier — but it's a supply chain: roles run with privilege on your hosts.</li>
+        <li>Prefer trusted sources: Red Hat <strong>Certified</strong> collections and verified publishers (Automation Hub), or well-known community authors like geerlingguy. Be wary of unmaintained, low-download, single-author roles.</li>
+        <li>Pin versions in <code>requirements.yml</code> and skim the code before importing — treat it like any other dependency.</li>
       </ul>
     </aside>
   </section>