For better #security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
#sponsor-B would pay a #bounty for implementing this. We agreed to try #bountysource to get offers.
Some more info:
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* patches should be upstreamed to Debian
* bonus, that can be done later: have an option to modify compile flags per package, so we can for example enable compiling as PIE