Agree reproducible builds should be added to the list of best practices.

There are ways to use HSMs to allow users to verify server-side builds matches the open source code, although I think only conceptually. Would love to see this done in practice so we can learn from it.

moneyball

opensource

What does it mean to be open source?

Good post. One question might be missing:

Are the builds reproducible?

What if the software is a website like SN?

How can users trust that the code in the repository is the code that is running on SN? 