[irundebian]

The provided binaries may still contain malicious code but it guarantees that no malicious code has been inserted in between the build process of the published code. So if your binaries contain malicious code, you can be sure that all other users of the software version are affected, too.

[tuananh]

does anyone practice dual build pipeline? eg: 1 by your devops team and another one by your security team and compare binaries hash later. To verify everything is reproducible.

is it a common practice?

[indolering]

It is not common outside of security inclined communities like cryptocurrencies. It should be and we are slowly moving there.

[jraph]

Indeed, thanks for the precision!