[jpgoldberg]

[Disclosure: I work for AgileBits, the makers of 1Password]

Thanks. I (as you'd expect) agree with both points.

The second one is particularly challenging. Deterministic builds are possible for some categories of software, but it will be a long time in coming. And for software that is updated frequently, it is even harder for people to practically check that what they are running is the reviewed code. But the technology is improving for this to be more practical. On the other hand, app stores move things further away from having the ability to distribute determinist builds.

This is not an excuse to not seek openness, but it does point out that there are lots of things to do that most people don't to get the benefits of that kind of inspection.