"More often, attackers want signing keys so they can sign their own binaries"
Isn't the idea that you don't have trust signing keys anymore because you rely on consensus? An attacker would probably have a much harder time compromising 10 vendors instead of one.
You are right, about complexity and issues, and you certainly don't "need" reproducible builds, depending on what you are after but it can be beneficial.
Also, you're arguments often seem to come out of thin air:
"reproducible builds are not for users" Why? Maybe not for the average user (yet).
That might be, but Germany and Switzerland assessed the safety to be suboptimal.
"In 2007, the same year a Swiss study found that seismic risks in the Alsace region had been underestimated during construction, the ASN denounced a “lack of rigour” in EDF’s operation of the plant."
Isn't the idea that you don't have trust signing keys anymore because you rely on consensus? An attacker would probably have a much harder time compromising 10 vendors instead of one.
You are right, about complexity and issues, and you certainly don't "need" reproducible builds, depending on what you are after but it can be beneficial.
Also, you're arguments often seem to come out of thin air: "reproducible builds are not for users" Why? Maybe not for the average user (yet).