Comment by tennysont

I was under the impression that most supply chain attacks target source code, not binaries, especially for large projects like OpenBSD.

Does StageX audit source code to the same extend that OpenBSD does? If not, then how would you compare the downgrade in security due to less code auditing vs the reassurance of reproducible builds?

Or, how would you compare StageX with Gentoo, in which the entire system is installed from source. Sure, you have to trust your initial installer, but how could I get a StageX system setup without first having access to a computer with some software installed? If we're at the point where we're worried that every Haskell program that has ever been compiled is owned, then I wonder why I should trust any software that might install StageX onto my computer, or the underlying hardware for that matter?