That would require an audit of all packages' build system to ensure
they only depend on what they claim.
Anything using "date" to embed a timestamp anywhere will not be
repeatable. Anything using /dev/urandom is unlikely to be repeatable.
(I can see collision-hardened hashes do that and hash ordering would
change. You would get in the build phase if that runs anything built.)