[killerstorm]

Yeah, it's kinda weird - it's not like GitHub uses a particular secure stack, formal verification or anything. It's just a regular build server with a power to compromise millions of software packages.

Bitcoin people solved problem a decade ago with deterministic build: Bitcoin core is considered publisher when 5+ devs get bit-exact build artifact, each individually signing a hash. Replicating that model isn't hard, it's just that nobody cares. People just want to trust the cloud because it's big

[webXL]

"Works on my machine" - a colleague's mug from back in the day. He was just being funny, but there's a bit of truth in every joke. Reproducibility was only occasionally a top concern for developers, and then github and other CI tools came along to offload that concern all together. Perhaps with the growing threat maintainers will start to care again. Github should just turn off publishing capabilities and force them to care.