As long as the program is equivalent there isn't an actual problem here. Requiring the output to always be the same is an arbitrary restriction.

If you want to have users trust that someone else hasn't modified it, then sign it with your identity.

▲

yjftsjthsd-h 4 hours ago | parent [-]

We'd like to verify, not trust.

▲

charcircuit 4 hours ago | parent [-]

The whole point of a signature is that you are able to verify what was signed was in fact a message that was signed by signer.

▲

robinsonb5 4 hours ago | parent [-]

Sure, but a signature doesn't prove that a particular binary came from a particular codebase - merely that a particular human (or other trusted entity, for varying degrees of "trusted") has vouched for it.

Being able to reproduce the binary from the source code and being able to verify that it's the same as the original is quite important in some contexts.

	▲	charcircuit 4 hours ago \| parent [-]
		>Being able to reproduce the binary from the source code and being able to verify that it's the same as the original is quite important in some contexts. I disagree. The contexts that people come up with are purely theoretical, and are not practically important. Please do try and convince me otherwise by sharing such a context. From my view the juice of trying to accomplish this is no where worth the squeeze.