This is a good question, certainly the most interesting point in this thread. iodéOS builds can in principle be reproduced, but there are a number of difficulties. The main one is the state of the sources: when a release is made and the sources are uploaded to our gitlab, all repos are not pushed, because most of them are used untouched from their origin (mainly AOSP and LineageOS). However, no trace is kept of their current state used to produce the builds.
One option would be to push all repos to gitlab, but this would consume a lot of disk space, and it is also a good thing to fetch repos from their original place.
Another option would be to keep track of the HEAD of each repo, and checking out all repos to that registered state. This is something we can work on, for two reasons: (1) unofficial builders could use the exact source state that we used at each release (actually, they regularly have problems because some repos are updated here and there making them incompatible with the state needed to compile), and (2) because it would allow independent developers to check the binaries which are embedded in iodéOS builds.
We will work on this topic asap, and give instructions/scripts on how to reproduce our builds: this should give a clear STOP to that sterile polemics.
About source verification : please note that our changes wrt aosp/lineageos can be very easily checked, because at each release, we rebase on top of upstream repos. So one can easily check that the top upstream commit really exists in upstream, and have just to check all our commits from that point to the head of the repo.