Fantastic project. Thank you for all your efforts.
Regarding the reproducible bootstrapping problem, what is your project's policy on building from binary sources? For instance, Zig is written in zig and bootstraps from a binary wasm file which is translated to C: https://github.com/ziglang/zig/tree/master/stage1
Golang has an even more complicated bootstrapping procedure requiring to build each successive version of the compiler to get to the most recent version.
See the Bootstrappable Builds community. They do not allow bootstrap that uses pre-generated files (binary or otherwise), except for an MBR worth of commented machine code in hex.
Thanks! The kind of work I do is about making an existing operating system issue reproducible packages, to the point that you can install a system with reproducible-only packages. This assumes "trusted source code and compiler", but no more tampering by the build server, which is already quite the improvement from what we have right now.
To solve the need for trusted source code there isn't really any solution besides "have people publicly document the source code they have read", like https://github.com/crev-dev/cargo-crev does. Often people ask "how do I know whose reviews to trust", but in reality there's a scarcity of reviews even if you're willing to trust literally anybody. There aren't really any incentives for people to make them, capitalism is failing us on that front and big companies don't want to publicly talk about the source code they have and haven't read either.
Regarding the reproducible bootstrapping problem, what is your project's policy on building from binary sources? For instance, Zig is written in zig and bootstraps from a binary wasm file which is translated to C: https://github.com/ziglang/zig/tree/master/stage1
Golang has an even more complicated bootstrapping procedure requiring to build each successive version of the compiler to get to the most recent version.