You can get a sense of what my team and I do from https://distrust.co/threatmodel.html
replyFor information on stagex and how we do signed deterministic compiles across independently operated hardware see https://stagex.tools
Stagex is used by governments, fintech, blockchains, AI companies, and critical infrastructure all over the internet, so our threat model must assume at least one computer or maintainer is compromised at all times and not trust any third party compiled code in the entire supply chain.
Nice! I'd thought about doing something similar, but never went so far as to get where y'all are at! I got about to an LFS distro that I was in the process of picking apart GCC to see if I could get the thing verifiable. Can't say as I'm fond of the container first architecture, but I understand why you did it, and my old fartness aside, keep up the good work! Now I have another project to keep an eye on. And at least 4 other people other than me that take supply chain risk seriously! Yay!
replyContainer-first here is mostly about build sandboxing and a packaging format where we avoid re-inventing the wheel and using standards to achieve toolchain diversity and minimalism. Docker is used as a default as it is most popular but you can build with a shell script in a chroot without much work and we want to have several paths to build.
replyAlso sxctl will download, verify, and install packages without a container runtime being installed at all.