Got any ideas what you would like to see instead&#x2F;how to solve these pain points?I&#x27;ve looked into running my own hydra instance recently. It&#x27;s possible but I don&#x27;t have the machine that I could host it on for my purposes right now (I would want to mirror the fixed output derivations and be able to compile most things in ramfs).

I looked into nixos. First of all it has same problem as all other distros where you need to trust a signed image file.Secondly, on the page <a href="https:&#x2F;&#x2F;nix.dev&#x2F;contributing&#x2F;how-to-contribute" rel="nofollow">https:&#x2F;&#x2F;nix.dev&#x2F;contributing&#x2F;how-to-contribute</a> they say &quot;Currently the focus is on funding in-person events to share knowledge and grow the community of developers proficient with Nix. With enough budget, it would be possible to pay for ongoing maintenance and development of critical infrastructure and code – demanding work that we cannot expect to be done by volunteers indefinitely.&quot; So that means they want a centralized team.Third there&#x27;s an active topic there which shows clearly that the team behind nixos is centralized and corrupt and politically driven: <a href="https:&#x2F;&#x2F;discourse.nixos.org&#x2F;t&#x2F;why-was-jon-ringer-banned-from-github&#x2F;44114&#x2F;18" rel="nofollow">https:&#x2F;&#x2F;discourse.nixos.org&#x2F;t&#x2F;why-was-jon-ringer-banned-from...</a>This whole project smells like a honey pot. Centralized = bad.

Well as long as we can&#x27;t formally enforce security and end to end verify hw+sw we&#x27;ll have to live with varying amounts of trust and checks.Wrt reproducibility: NixOS minimal ISO is now 99+%, GNOME ISO at ~95% (measured heuristically as described there): <a href="https:&#x2F;&#x2F;reproducible.nixos.org" rel="nofollow">https:&#x2F;&#x2F;reproducible.nixos.org</a>Didn&#x27;t realize they have gotten this far already!The actual problem lies in the code that is packaged... A dev sneaking in malware in the CI&#x2F;CD pipeline would paint a huge target on their back because it&#x27;s easy to detect and normally few well-known members get to control this. Including malicious code in an obscure dependency however...

Where did I say that? Can you point to it? Or did you imagine it because you are incapable of understanding new ideas the first time that you read them and need numerous instances to chunk them away for later recognition?

so you are saying you dont care about your privacy but i dont understand how that is relevant

Risk is equal to severity of the outcome multiplied by the chance of that outcome. If I were running a bank, I&#x27;d probably be very careful about what Linux distros I use. But for my own personal data, I don&#x27;t think the CCP or Russia are going to be able to do anything meaningful based on my RedTube browsing history or my Wikipedia deep dives into penguin morphology.

I will assume everyone understands the security problem when a build isn&#x27;t reproducible. In short, just because something is open source, doesn&#x27;t mean the compiled application you&#x27;re downloading and installing hasn&#x27;t had any malicious modules added to it before being compiled. It&#x27;s not enough for something to be open source, it has to be reproducible as well.I don&#x27;t think there are any reproducible linux distros. Every one I have looked into requires you to download and install from an image file. That means you must trust the developer who signed that image because they could add all kinds of malicious code to it.We always suspected that winows, mac, android, ios are spyware for the intel agencies and now it has been proven that ios has a backdoor most likely put there by NSA.Why don&#x27;t we suspect the devs of linux distros to do the same thing?What do we really know about the people signing the image files? do you even know their names? 
It&#x27;s also a bit crazy how so many people trust SELinux when its made by NSA.Is this the reason why most people don&#x27;t bother trying to potect their data from the intel agencies? No one wants them doing their unconstitutional and illegal snooping in our data, them finding out that we like to listen to the rick roll music video but maybe it&#x27;s simply impossible to prevent that, 100% impossible no matter how hard you try.LSMs won&#x27;t help us when the distro itself is corrupted.Or do you actually trust that your distro image file that you installed from and any updates later aren&#x27;t compromised?
Tell me which distro you&#x27;re using and what you know about the devs who sign the image file and updates and why you trust them? Keep in mind they can be forced to compromising the distro and forced to keep silent.

How much do you trust your Linux distro devs?