For better security, ideally, we wouldn't pull binary packages from Debian's repository during the build of Whonix, but compile all packages from source code.
sponsor-B would pay a bounty for implementing this. We agreed to try bountysource to get offers.
For building packages from source code, there is `apt-get source --compile pkg-name`. But for it to work, one has to run `apt-get build-dep pkg-name` beforehand, which downloads binary packages. Is it possible to get to a point, where all packages that are installed/updated, are compiled from source code beforehand? Seems difficult to break the dependency loops. Some more info:
* add an option to `debootstrap` to install the compile all source packages rather than downloading binary ones
* add an option to or wrapper around `apt-get` to allow installation/upgrade of packages from source code
* patches should be upstreamed to Debian
* bonus, that can be done later: have an option to modify compile flags per package, so we can for example enable compiling as PIE
If helpful, this ticket could be split into smaller tasks.