One important lesson from the #xz situation is that we should not allow binary blobs to enter the build process because they can't be audited. (In the case of xz-utils, most of the malicious code was hidden in a binary test archive.)
Some time ago, I have banned all binaries from the revision control system used for our papers. That means no PDFs, PNGs, etc. In our case, it's not malicious code but #reproducibility; nevertheless, the challenges are quite similar. (1/3)
