[justinclift]

> I'm very curious about how this will actually work, in practice, anywhere that uses any form of source control and even a modicum of process.

A capable ;) agency wouldn't target the developers. They'd target the SysAdmin's who look after the build servers.

With agency backed er... malware added to the build servers, they'd be capable of adding on-the-fly exploit code to the shipped binaries.

Things like reproducible builds - gaining popularity among some OSS Communities for few years now - help to at least detect this.

Could be very difficult to detect for lots of situations. eg side loaded mobile apps, proprietary desktop apps, likely others too