Compiler Attacks - Diverse Double-Compiling(DDC)

Has the QubesOS project considered attacks on compilers in their threat modelling? Have they considered

employing Diverse Double-Compiling (DDC) to use two compilers (one of which has been reproducibly

built) to ensure source code matches the compiled machine code using two samples?


This would probably be a question for @marmarek.

Build security generally is something we care about, but before going through DDC, there are several prerequisite steps, including making all the packages reproducible in the first place - some already are, but not all.


can deterministic builds take place more easily at the library dependency level before inclusion into a package?