It's next to impossible for users to verify the published binaries behave identically to the published binaries; it should be possible for developers to build the source code and produce an identical binary to the published one. Reproducible builds would make it much easier to notice when an attacker has replaced the real binary with a malicious version.
It's next to impossible for users to verify the published binaries behave identically to the published binaries; it should be possible for developers to build the source code and produce an identical binary to the published one. Reproducible builds would make it much easier to notice when an attacker has replaced the real binary with a malicious version.
See also https://reproducible-builds.org/