The code author could make a signature on every release which would be the strongest guarantee of authenticity. But at a rudimentary level, we could have code hosting repositories simply publish/advertise the sha256 values of the hosted code files.
The root of trust has to lay at the source code origin for a pure implementation of reproducible builds and for the security reasons I mentioned earlier.
In general it doesn't help much IMO to have distributions take a silo view of the problem. But those are just my ideas and thoughts on the matter.
The root of trust has to lay at the source code origin for a pure implementation of reproducible builds and for the security reasons I mentioned earlier.
In general it doesn't help much IMO to have distributions take a silo view of the problem. But those are just my ideas and thoughts on the matter.