Hi all, I was able to build the Rust compiler almost purely from source via the mrustc compiler. The necessary scripts and instructions are here:
https://github.com/devrandom/trust-rust There is still some work to be done to remove the dependency on the Cargo binary and to vendor the sources that it currently downloads. The diffoscope report, comparing against the distributed Linux binaries, is here: https://github.com/devrandom/trust-rust/wiki/initial-report . It would be cool to prove that the distributed binaries don't have trusting-trust malware, but the diff is currently a bit large so not there yet. However, just building from source should be enough for our purposes, since it would let us audit the sources after the fact. I would appreciate a review of the methodology / code.
