I think GP is talking about a scenario where Microsoft would serve either malicious source tree or binaries to just one user, not all of them. that would be fairly hard to detect. but in such scenarios we'd also have to start asking questions about the state of the entire CA ecosystem.

▲

tstenner 4 days ago | parent [-]

Or detected easily with package builders like Arg Linux's makepkg that ship a hash along with the source URL. As soon as one user gets a different file, he has an alert and the compromised package for later analysis

	▲	untitaker_ 4 days ago \| parent [-]
		like I said, if you assume your adversary is the US government then they might as well start issuing rogue TLS certs to target individuals.