You do realize that that's how all compilers are built right? Or did you think a magical compile fairy will come along and compile itself from source? Or did you expect an ASM only version of some basic compiler to take over?

Most compilers have a 2-3 stage "self build" process where the old version builds the new version usually in increments until there is a successful rebuild of the new version by the new version and that's then the binary you end up using. Of course some compilers use other languages to build themselves which is another story, but in the end if you'd really want to go from source completely you'd pretty much have to iterate back all the way to the first from-assembly stuff. I'm fairly sure that's not even possible anymore.

If "cc" here means any modern C compiler, would you please paste here or point to readily available instructions on how to do that?

That's exactly what it means and that's exactly why you don't need to compile it yourself.

If it's reproducible that means it's identical and therefore pointless to compile it yourself. If it's not reproducible that means that there's a risk that the pre-compiled version could contains stuff which you do not expect. As long as a few users verify that the code is identical everyone else doesn't have to.

There's nothing wrong with it, but neither do I think people should do it manually as there is no point in doing that as you don't gain anything from it.

The only people it should matter for is
- The rust servers building binaries for rustup
- The automated build machines run by distros who use their own packaged and frozen rust version
- A few users who verify that reproducible builds work

Yes it's stupid that firefox takes every rust release, but the firefox developers don't care because they don't build rust from source either because it's pointless.

It's very easy to modify firefox if you don't compile rust from source and modifying the rust compiler is as easy as modifying any other compiler, but when you do both that's when you are wasting your time. That's why I was asking if you compile every version of GCC/clang as well.

I'm not doing it manually, I want to do it automated as part of our Linux distribution build process (#t2sde). But as I said already rust & cargo are not very cooperative to be packaged as Linux distribution package. Which should already say everything about the state of their amazing software deployment methods.

Well I am one of those few users. What is the logic here. It seems you and moltonel are trying to shift focus from the initial question to "we can not do it, and that is why it is a stupid idea".

Why even advocating Rust when such sharp contradiction exist? It strives to be general purpose language and in the reality it implies that only a certain group of people will be able to use it without pain and suffering. Yes, majority of users do not care at all and they indeed should not. But still there are distro maintainers who say that supporting Rust-dependent packages and even Rust itself is absolute hell. And they do not say it about any of dozens other languages. Why this special treatment? Why it should be so?

As a reminder: like almost all rust users and distributors, I find bootstrapping rust from rust perfectly fine, I don't value bootstrapping rust from C++ (or whatever else higher in my day to day usage). If you want a purer bootstrap process, by all means do so, but expect some hoops to jump though. Getting to a reproducible build and other attributes is a worthy goal, help will be appreciated. But don't expect the whole community to rally to your cause: we've got other priorities, and we'd much rather use an uncertified language/compiler that prevents memory issues and provides seamless compiling/packaging than a certified one that has been shown to be a security minefield and has build systems that eat up productivity.

I'm curious: does t2sde bootstrap gcc using a certified reproducibly-built compiler ? Looking at http://t2sde.org/packages/gcc doesn't inform me on whether that's the case or whether the system's current compiler is used, in which case using rust-lang.org's binary is pretty much the same thing ? Did you look at other from-source distributions rust packages, like Gentoo or Arch ?

Gcc is for decades bootstrapped using the pre-existing system compiler, and then compiled again by itself. What does reproducible Rust compiler help me when the whole 150 cargo micro package stuff pulled form the internet is working against distribution packages and cluttering either the home, or a system-wide directory with 1.x GB of build artefacts?

So just another Rust defender who makes claims and speaks about things he never tried in practice and in fact do not understand what he claims. Most probably just repeating after his fellow sectarians. One respect point to you for not hiding that.

The situation is crystal clear. Rust developers are perfectly aware of their inability to prove chain of trust and they just don't care. So they insist that distribution maintainers should *lower* their standards but not that Rust developers should make them *higher*. Just for some reason their bold slogans do not include that fact.

Before you start whining about C is bootstrapped by C again: GCC chain of trust can be verified in a clean and deterministic manner and have been verified for many times and everyone interested is able to do that.

But Rust user base is so fed with those slogans and buzzwords that they just unable to accept that the concern is totally grounded and keep going in these endless defense circles. All you can add is another "everyone who does not accept our policy is stupid paranoid". Just what you are going to do in the comments below.

Please get lost and do not waste my time anymore.