[httpsterio]

Same goes for open source builds, you have to either build it yourself or trust the supplied builds.

[Hallucinaut]

Those aren't really the only two options though, are they? If you don't trust software you can run it air-gapped or in an internet-free sandbox.

Moreover good luck trying to verify that everything a website does on the server side is unchanged compared to a binary that's been built locally once.

[pabs3]

It is also possible to trust anyone who has verified the build is reproducible:

https://reproducible-builds.org/

[SemanticStrengh]

reproducible builds are a thing but yeah no easy solution out there for binary/code authenticity