diff --git a/developer/general/package-contributions.md b/developer/general/package-contributions.md
index 49410b47..bc52aae5 100644
--- a/developer/general/package-contributions.md
+++ b/developer/general/package-contributions.md
@@ -74,9 +74,11 @@ The review procedure is as follows:
 
 In all the cases, the first condition to be validated by the QCR's review is to ensure that the contribution **will not** hijack any core packages of [QubesOS] and of course, none of the [QubesOS-contrib] packages too. More precisely, particular attention to the whole build pipeline will be made with a specific review of:
    - Package dependencies,
-   - Build scripts, 
+   - Build scripts (including downloaded ones),
+   - All downloaded components should be verified against static hash,
    - RPM/DEB installation scripts (e.g. looking at constraints who would hijack other packages),
    - Makefiles,
+   - Package build [reproducible]
 
 and any steps which would result in partial/total compromise of legitimate components.
 
@@ -104,4 +106,4 @@ If you do not act on your maintainer duties for a given package for an extended
 [QubesOS]: https://github.com/QubesOS
 [QubesOS-contrib]: https://github.com/QubesOS-contrib
 [qubes-issues]: https://github.com/QubesOS/qubes-issues/issues/
-
+[reproducible]: https://reproducible-builds.org/