@hipsterelectron As someone interested in "reproducible builds" in general, what's the state-of-the-art here?
Is there any ecosystem doing this *well* (e.g. dev-signed *and* packager-signed reproducible builds?)
(I semi-recently tried to figure out how to tell which, if any, f-droid things are "built by devs" but gave up.
Was also hoping TUF would make it into Python ecosystem, finally, but it seems "only via sigstore.dev" which ... isn't quite what I hoped?