Finding solutions for reproducible builds BoF

How can we enable multiple parties to verify that a binary package has
been produced untampered from a given source in a distribution like
Debian?

While trying to get reproducible builds for Debian packages, several
problems were identified. For some, like paths encoded in debug files,
we are still missing good solutions. Let's review them and find great
ideas!