From Fedora Project Wiki

It should be possible to reproduce every build of every package in Fedora (strong, long-term goal). It should be possible for the users to verify that the binary matches what the source intended to produce, in an independent fashion. This is the basic nature of open source, the source code is available, so what can we do with it?

I want to be able to show that our binary was the result of our source code from our compiler and nobody added anything to the binary along the way. Can we show that one of Fedora’s RPMs was built from the source RPM shipped? Fedora shouldn’t be forced to say "Trust Us" when asked about proving the binary RPMs came from the source RPMs.

https://github.com/kholia/ReproducibleBuilds

https://reproducible-builds.org/docs/

https://wiki.debian.org/ReproducibleBuilds