you’re wrong…
There is a huge different between open source and closed source software even if the open-source software is not reproducible build yet, using/trusting binaries that compiled by someone else isn’t magically solved (reduce the trust needed) if the binary is reproducible build, it require more then that (at least a infra that enable you to validate the build against other builders to combat targeted attacks, something Debian also work on as you can see at https://buildinfo.debian.net/)
in open-source software you can manually verify that the build wasn’t compromised by looking at the difference between the supplied build and the build you done yourself (sometimes it’s easy, sometimes it’s hard) the point of reproducible builds is that the verification done automatically, so any mismatch is either a new-bug (need to be fixed) or malicious backdoor.
Regarding PureOS I guess the following will happen:
- They ensure the ISO generated is reproducible, as already done in Tails
https://tails.boum.org/news/reproducible_Tails/index.en.html - PureOS build upon Debian as many other distros (Ubuntu/Tails/Kali…) and all of them will benefit from Debian work when it will achieve 100% reproducible builds on all packages, then PureOs fix any reproducible bugs they introduce through changes.