> does what you want it to do
What are you even talking about? We're talking about security, not 100% correctness, which is indeed not achievable. Security as in the software doesn't contain backdoors. This is much easier to verify, and even the very openness of the code will prevent many attempts at that.
Also, trust must not be 100%, as Apple is trying to train their gullible users. Oppenness is definitely not a silver bullet, but it makes backdoors less likely, thus increasing your security.
> you do [verification of reprodicible builds] by getting some string of bits from some safe place and compare it to a string of bits that your software hands you.
Exactly, and here's an example of how to do it reasonably (not perfectly!) well:
https://www.qubes-os.org/security/verifying-signatures/
Also, please stop with the security nihilism: https://news.ycombinator.com/item?id=27897975