But I'd also say another way to do it is to build / cross compile on two totally different machines, say Linux and OS X, or Linux and FreeBSD, or even a modern Debian and some Linux VM from 2005
If the results are exactly the same, then I think it can be trusted
I guess that's like Diverse Double-Compiling, but extended to the whole machine:
That is exactly what we do in StageX on which ReprOS is based.
Given all builds start from hex0 you can build from an Arch Linux host and I can build from a Debian host and we are still guaranteed identical results every time.
Every altered package is reproduced bit-for-bit identically by multiple different maintainers and signed every release.
Our entire distro and release process is built around addressing trusting trust attacks which is why we must be 100% deterministic or we cannot ship a release.
Ah OK that's interesting ... so I guess ReprOS saves other projects the effort of doing that themselves!
I am honestly not sure how much effort it would be; I was thinking about doing it / verifying it for https://oils.pub/ , which has a large build process
But it may save time to use ReprOS. I'll look at it more - it sounds interesting!
But I'd also say another way to do it is to build / cross compile on two totally different machines, say Linux and OS X, or Linux and FreeBSD, or even a modern Debian and some Linux VM from 2005
If the results are exactly the same, then I think it can be trusted
I guess that's like Diverse Double-Compiling, but extended to the whole machine:
https://dwheeler.com/trusting-trust/