You may well be hosting or linking to builds though, and if someone could replace a popular project's binary builds with one that'll compromise any machine its installed on that's a pretty big deal, especially if some of those machines are production servers.