For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
For building packages from source code, there is `apt-get source --compile pkg-name`. But for it to work, one has to run `apt-get build-dep pkg-name` beforehand, which downloads binary packages. Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info:
If helpful, this ticket could be split into smaller tasks.
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* patches should be upstreamed to and merged by Debian
* have an option to modify compile flags per package, so we can for example enable compiling as PIE
1) Go to https://www.bountysource.com/issues/9115540-build-debian-packages-from-source-code
2) Click on "Developers"
3) Click on "Get Started"
4) Select Status "Bounty too low"
5) Enter your offer and press "Save".