This is a touch dramatic. The hash of the payload and the hash of the RPM header are still reproducible and can be verified. It's just that the existence of internal signatures makes it impossible to do a simple checksum of the file.
And thus RPM was not designed with easy user reproduction and signing by multiple independent parties for high accountability in mind. Most other package managers do not have this problem. This is a flaw that should be corrected.
Also, it takes a ton of work and testing and bug fixes and patches to get software reproducible. Assume most packages are not reproducible until proven otherwise. Arch, debian, nix, guix, all do that work and publish the proof, for several years, with far less resources than redhat or fedora. Stagex even has 100% (shameless plug)
Easy user hash for hash reproducibility with published reproduction testing proofs is the standard baseline for years now, and even that is nowhere near good enough.
Multiple independently signed reproduction proofs with full source bootstrapping is IMO a bare minimum for any distro that expects other people to be able to trust it for more than hobby use cases.
Supply chain attacks are becoming very common, and no one should have to trust a single engineer somewhere with a god signing key for a major distro.
Also just to spot check a popular package in Fedora, rust, I just confirmed it still downloads a non-reproducible binary rust compiler to build its own rust package, so it is certainly not reproducible from source even putting aside the rpm signing format problems. Fedora blindly trusts whoever builds the binaries on the rust team. I can only assume RHEL does the same.
It's a problem that can be easily fixed with tooling that's smart enough to just look inside the file. Detached signatures aren't necessarily better, just different.
