I wonder if Canonical (and/or Debian) provide any sort of guarantee that all packages in main and universe repos are always either built from source by themselves, or verified by them (in case of deterministic or signed reproducible builds) as opposed to just including binaries compiled by others (which implies that you have to trust them, as well, to not be doing something shady or unclear on their compilation process, or using anything outside the public source repo other than private keys for signing, where applicable).
What are Debian and Ubuntu's policies on this? Do they have any official pages or statements on this matter? I'd expect them to do it at least for main, but what about universe? Who am I "trusting" (to provide what they claim to have compiled) when I install something from universe? Just Canonical/Debian or also the authors themselves?
Related: (some info I found on reproducible builds, mostly old)
Best Answer
Packages in main and universe are built in the launchpad build farm, from source. You don't need to ask for verification of this as you can find it yourself.
For example, at the time of writing the most recent build of
binduploaded to Ubuntu 20.04 LTS (Focal) is 1:9.16.1-0ubuntu2.5. You can see this via the focal-changes public mailing list. Specifically this post which links to launchpad where you can see the source files and builds, and build logs for every supported architecture. For example the amd64 build for that version of that package is found here with the build log here.You can repeat this process for every package in every release of Ubuntu.
While I mentioned main and universe, the same is true of restricted and multiverse packages, which are also built on launchpad. However they may contain non-free components, so aren't guaranteed to be built "from source", but there is a source package for each, even if it contains some binary components.