Agree reproducible builds should be added to the list of best practices.

There are ways to use HSMs to allow users to verify server-side builds matches the open source code, although I think only conceptually. Would love to see this done in practice so we can learn from it.