SecurityWeek has published an article by CII’s Emily Ratliff called Establishing Correspondence Between an Application and its Source Code.
Soon it will be possible to enroll the signed hashes from the package management system as IMA attributes during the installation process. Then, if you configure your system to be IMA enforcing, you will know that every running application came from your trusted distribution.
If your trusted distribution uses reproducible builds, then you will be able directly trace the chain of integrity of the executing process back to the original code and know that the code has not been subverted during delivery.
Read more at SecurityWeek.