Simon Josefsson <si...@josefsson.org> writes: > Successfully attacking ALL individual developers, with each own > individual security weaknesses, seems to me more costly than attacking a > single known publicly run instance like tag2upload or Salsa.
You only need to be able to sucessfully attack *one* developer in order to cause significant damage. The more popular that developers packages are, the more damage you can do. So the developer with the weakest security practises and most popular packages is probably a prime candidate. -- Brian May @ Debian