Has there been a single publicly known attack that would have been prevented by this?

MomsAVoxell 26 minutes ago | parent | next [-]

Why should it only be valuable if the effects were to be publicly known?

There are plenty of places in industrial computing where reproducible builds have prevented subterfuge within the organizations themselves. Injecting binaries to do inf-/exfiltration is a long-standing industrial espionage activity which is of immense value to all users of the operating system - not just the consumer users.

▲

PunchyHamster an hour ago | parent | prev | next [-]

Zero in Debian. They have enough other procedures to catch it.

Less diligent projects had it but there are easier ways to fix it

▲

LtWorf 2 hours ago | parent | prev [-]

Several actually. Pypi is regularly targeted in this way.

▲

PunchyHamster an hour ago | parent | next [-]

Hasn't happened in Debian

	▲	MomsAVoxell 25 minutes ago \| parent [-]
		“Hasn’t happened” is quite naive. It happens internally - putting unscrupulous code in a company’s distro before torching the place is a surprisingly regular occurrence in places which have long since adopted Debian as a platform host. IT departments around the globe will benefit from this immensely.

▲

charcircuit an hour ago | parent | prev [-]

But how many of those attackers also had the ability to publish a github commit but didn't to remain more stealthy.