So, Philipp Kern dropped by asking if we could do some #ReproducibleBuilds verifications of recent Debian Security updates, given, well the whole #xz mess... and that our build infrastructure may have run compromised code at some point...
So I did a quick pass at a handful of updates and everything verified ok so far, though I skipped some of the probably more juicy targets such as chromium and firefox:
https://lists.reproducible-builds.org/pipermail/rb-general/2024-March/003321.html
Debian is reproducible enough to at least try this sort of thing!