Has there been a single publicly known attack that would have been prevented by this?
replyWhy should it only be valuable if the effects were to be publicly known?
replyThere are plenty of places in industrial computing where reproducible builds have prevented subterfuge within the organizations themselves. Injecting binaries to do inf-/exfiltration is a long-standing industrial espionage activity which is of immense value to all users of the operating system - not just the consumer users.
Zero in Debian. They have enough other procedures to catch it.
replyLess diligent projects had it but there are easier ways to fix it
Several actually. Pypi is regularly targeted in this way.
replyHasn't happened in Debian
reply“Hasn’t happened” is quite naive. It happens internally - putting unscrupulous code in a company’s distro before torching the place is a surprisingly regular occurrence in places which have long since adopted Debian as a platform host. IT departments around the globe will benefit from this immensely.
replyBut how many of those attackers also had the ability to publish a github commit but didn't to remain more stealthy.
replyThis question is meaningless. Attackers will pick the best attack if they have more at their disposal. The fact that they didn't push a commit shows it's better not to. So closing that attack is good.
reply