@lanodan @rysiek @mala @cjd Instead of focusing on “trustworthy third parties”, I find it more fruitful to make it possible for everyone to trivially *verify* builds, leveraging #reproduciblebuilds.
https://guix.gnu.org/manual/devel/en/html_node/On-Trusting-Binaries.html
@civodul yeah, my thoughts on reproducible builds have been along the lines of ormandy's blog post above. I think the only advantage I can see is where i independently build and verify, but i want someone else to handle *distributing* binaries to my infrastructure. so, my trust is both that my machine wasn't compromised for that build because someone independently got the same result (assuming there's not an exploit in the "reproducible" build system! but I think the idea is generally that you had everything and *can* build offline/in your own intranet if desired), and that whoever else is distributing the package, they had to do the same as me.
