Description
currently the quilibrium node binary is built and released using a process which is not transparent or auditable by the general public. there is a binary signatory check at startup but as far as i am aware there is no mechanism whereby the public can establish a trust relationship with the signatories. as such there is no obvious mechanism whereby a node maintainer may verify that the release binary they install and run on their own hardware, is built from an unmodified version of the source code which is publicly accessible.
many open source blockchains and other open source tools which provide release binaries make use of github actions and the github release mechanism to provide an auditable trail of the build and release process whereby a node maintainer may review build steps in order to satisfy themselves that the release binary is derived from the same source code as the publicly accessible source. the ceremonyclient repository contains no such actions or releases and no notes or explanations are provided in the repository readme to explain how node binaries are built and released, so there is no obvious or transparent correlation between release binaries and source code.
node maintainers may work around this by building their own binaries and skipping signature checks but a first class solution by a trustworthy project which provides release binaries, should include an obvious mechanism by which those downloading release binaries may validate the build and release process of those binaries.
if i am mistaken and an auditable mechanism for release binary verification does exist, it would be helpful if a note about the same could be included in the main repository readme.