Not all packages are built in deterministic ways: some will get a different hash on each run. This makes/made Haskell packaging more difficult, since there even ABIs are nondeterministic so after a library is rebuilt all its dependencies needed rebuilding. There are also trivial issues like archives containing timestamps of when they were built.
I think the answer is that we trust distro developers and we don't know any problems which we explain by the packages not being what would be built from the source.
pgp1Eny7QxPdx.pgp
Description: PGP signature
