I was able to build the Rust compiler almost purely from source via the
mrustc compiler. The necessary scripts and instructions are here:
There is still some work to be done to remove the dependency on the Cargo
binary and to vendor the sources that it currently downloads.
The diffoscope report, comparing against the distributed Linux binaries, is
here: https://github.com/devrandom/trust-rust/wiki/initial-report . It
would be cool to prove that the distributed binaries don't have
trusting-trust malware, but the diff is currently a bit large so not there
yet. However, just building from source should be enough for our purposes,
since it would let us audit the sources after the fact.
I would appreciate a review of the methodology / code.