📝 Add link in the FAQ

Author: astariul

README.md

@@ -140,7 +140,9 @@ Then from `python`, you can just do :
 import tensorflow
 ```
 
-_Note : While it's possible to do like this, it's better to have a unique name for your package, to avoid confusion._
+---
+
+**But be careful about this !** While it's possible to handle it like this, it's always better to have a unique name for your package, to avoid confusion but also for [security](#a-word-about-supply-chain-attacks) !
 
 #### Q. How to download private package from Docker ?
 
@@ -180,15 +182,11 @@ RUN --mount=type=secret,id=gh_auth,dst=/root/.netrc pip install <package_name> -
 
 ## A word about supply chain attacks
 
-In the past months, several companies were compromised through PyPi supply chain attacks. Because this repository is a PyPi index, this is very much spot on.
-
----
-
 As you saw earlier, this github-hosted PyPi index rely on the `pip` feature `--extra-index-url`. Because of how this feature works, it is vulnerable to supply chain attacks.
 
 For example, let's say you have a package named `fbi_package` version `2.8.3` hosted on your private PyPi index.
 
-An attacker could create a malicious package with the same name (`fbi_package`) and a higher version (for example `99.0.0`). Then, when you run `pip install fbi_package --extra-index-url my_pypi_index.com`, `pip` will take the latest version of the package, which is the malicious package !
+An attacker could create a malicious package with the same name (`fbi_package`) and a higher version (for example `99.0.0`). When you run `pip install fbi_package --extra-index-url my_pypi_index.com`, under the hood `pip` will download the latest version of the package, which is the malicious package !
 
 ---