[openoi]

Another reason why reproducible builds in open source are so important. The version of Caddy you can compile yourself is different from that you are offered as download. And there's nowhere a notice to be found about that intransparent move.

[elcore]

Caddy's build are reproducible as per https://github.com/golang/go/wiki/Modules. The downloader offers you to extend Caddy with plugins, and this will change the hash of the binary compared to a straight build from the source code. Keep in mind that Telemetry is enabled by default in the source code, unlike @ the downloader, this changes the hash too.