If everything is done carefully enough with reproducible builds, I think using a binary whose hash can be checked shouldn't be a great extension of trust.
You could have multiple independent autobuilders verifying that particular source does indeed generate a binary with the claimed hash.
If everything is done carefully enough with reproducible builds, I think using a binary whose hash can be checked shouldn't be a great extension of trust.
You could have multiple independent autobuilders verifying that particular source does indeed generate a binary with the claimed hash.