[rectang]

The promise of reproducible builds divides-and-conquers the system, allowing us to validate individual components. From there, we need to be concerned about how well the source code for each component is managed.

Projects have the option to only accept contributions from known entities. If your identity is public knowledge, trying to sneak a backdoor into version control is high-risk.

Openness is viable stratagem for hardening and reducing the attack surface. It does not have to be perfect to make meaningful improvements towards a layered defense.