You did not read my post through, did you??

If you read it again you will notice I said Binary distribution can be allowed if the sources are available and mechanism for reproducible build verification exists.

This means that somebody can build the sources and verify the resulting RPM is what is ptovided!!!

Yes, juiceme, I read that. And I have repeatedly said that I have an issue with that somebody.

In your idealistic world, "somebody" will review those 5 million lines of code. In the real world, nobody will even look at it. But somebody might write an alternative application if the API is public. Which was my point.

@pichlo thats not @juiceme's point here (correct me if iam wrong)

By being able to recompile from sources, and comparing a precompiled binary (rpm) against own build (rpm) its a matter of comparing if checksums matches. If no match, something was changed in precompiled binary, and there is a reason to be suspicious.

Sorry but that's just silly. For at least two reasons:
1) A checksum match can only guarantee that the compiled binary matches the supplied sources. Not that the sources are safe and do not contain some hidden gems.
2) A checksum is not going to match anyway. At least in my experience, every time I build something I get a slightly different binary. The compiler embeds things like the build date/time etc.

No, but for installing a bitcoin miner by an innocently looking chat application, having root access helps.

At least on a decent OS. On Sailfish, you don't need root for that either

Simplified, yes. There needs to be a reproducable build method, which will result in matching checksums. Or other verifiable methods.

https://wiki.debian.org/ReproducibleBuilds

@nieldk already explained it well. In most cases the possibility of reproducible build from sources already deters the will to put in backdoors.

Also one does not need to look at every line of the 5 million LOC, there are ways to speed up the process pretty much, for example with c sources you can grep thru included headers to find the modules most likely to do some funny business and then check those.

Also there does exist way to have reprducible RPM builds

Still no info/promise which will be the android compatibility level, 5,6,7,8...

I'm totally with you regarding the desire for reproducible builds and having access to the code. But the FOSS world is not what I had in mind when posting my last post, as you rarely are forced to use a specific app there.

I was looking at big companies (banks, public transport etc) where you see tendencies towards app exclusive services. The best example may be online banking apps, for which you often see issues at TJC from nordic users: either you install and use the app, or you can't access your online banking.
The sad truth here is that there usually is no possibility to get a look at the source code. So, sure, they could include a crypto miner or something like that, but I'd say the chances for that are quite low in these cases. The bigger issue is that more and more companies go "all in" regarding data collection: try to grab as many data from users you can, maybe they can be useful (and sold) in the future. In this case, App permissions are essential, since with them you can use the app without the fear that it "steals" your address book or is constantly spying on your location.
I have to say that Google did a good job regarding this permissions in the newer Android versions. Wouldn't Android itself spy on the user so massively, it would be a great privacy-friendly system. And this is where SFOS has its advantages in my opinion: If we get similar app permission features as Android, we have a privacy-friendly base system (opposed to Android) and can get much more privacy for Apps which are (unfortunately) essential for the user.

This is where our disagreement comes from. I am not convinced that your statement is 100℅ true. In a reasonably complex piece of code, it is dead easy to hide whatever you want in plain sight. In which case providing the sources will only serve to give the false sense of security to idealists like you, who naively believe that sources = guarantee of genuinity.

Regarding the Nordic bank users, as per jenix's post, I am somewhat baffled. Does that mean you guys cannot login from any random computer using any random browser? That completely defeats the whole purpose of online banking. If my bank tried to impose such a restriction on me, I would switch the bank.