ogrisel, I have been thinking a bit about how to detect supply chain attacks against popular open source projects such as scikit-learn.
If you have practical experience with https://reproducible-builds.org/ in particular in the #Python / #PyData ecosystem, I would be curious about any feedback to the plan I suggest for scikit-learn in the following issue.
Feel free to reply on mastodon first, if you have questions.
Add comment