alt Hacker News> We cannot reproduce your source
This is the biggest issue we had, and we had to add a decent bit of complexity to our builds to support reproducible builds in the exact way they want. But the silly part is that our extension involves building a wasm file from Rust, and after some back and forth it turned out that they don't require it to be reproducible (despite being core of our extension and containing 99% of our logic), which honestly feels like it defeats the point - who cares if JS reproduces if you can hide any arbitrary possibly-malicious code in wasm.
For a while we were seriously considering putting our prebuilt wasm in the source package or on npm, just to make the "reproducible build" on AMO side simpler, despite this making it even further from how it's actually built.
What kind of harmful code could you put in WASM? You could return a string that you eval on the javascript side, so the reviewers could possibly ask for the WASM source if they saw the eval, but other than that the purpose of WASM is to be a safe sandbox after all, right?