They were completely preventable by independent verification. Just that without reproducible build you can't independently verify anything.
They were completely preventable by independent verification. Just that without reproducible build you can't independently verify anything.
Maybe some of them were preventable, but if it was in place attackers would easily adapt to fool the automated systems and we would be back at status quo.
>without reproducible build you can't independently verify anything.
This is myth propagated by reproducible builds people. Byte for byte similarity is not required to detect a Trojan was injected into one.
You are right, I should not have said "you can't independently verify anything", but then you generally need to know what you are looking for.