The issue started originally with just making build reproducible, but there are other supply chain attack vectors. For example, if some build tools introduce malicious code, then the build will be maliciously reproducible. So we need to think carefully about what other mitigations are there beyond reproducible builds.
The issue started originally with just making build reproducible, but there are other supply chain attack vectors. For example, if some build tools introduce malicious code, then the build will be maliciously reproducible. So we need to think carefully about what other mitigations are there beyond reproducible builds.
References: