@martin_ueding @glyph @AndresFreundTec @kirschwipfel > Sounds good. But some projects have a build stage which generates lots of things. Packagers for distributions need to up the needed environment and perform these steps. It seems much easier to use a provided artifact in these cases.

If you don't care about reliability, build-reproducibility and trustworthiness of your distro, sure.

> I think this attack is hard to defend against: An evil insider in the project with control over the code and artifacts.

Compromise of artifacts is a lot easier, you can ask the Linux Mint project about that.

> One could also hide malicious stuff in the code itself directly, in plain sight.

That requires a project with such awful code practices (accepting random unauditable blobs) that you'd hope the package maintainers would simply refuse to add it in the first place.