Deterministic builds can be done with closed source too. It doesn't directly help the users, but if they had setup a second build machine and noticed the build output was different, they could have addressed this sooner.
Of course, if following best practices, all build machines should be equally compromised. ;p
How is this possibly acceptable? We've given people verifiable proof that this binary is not the one we created, yet users should crack on and install it anyway?
I wonder if you could gain security while preserving agility by having build servers with exceptional (and annoying) security maintained offline. Do your CI/CD work, then chop off a weekly release and build it from source on a machine that’s been powered off in a secure room the whole time.
Still doesn’t help you if the attack is sufficiently upstream..
Of course, if following best practices, all build machines should be equally compromised. ;p