Comment by benlivengood

> And I guess, for those super-critical builds, don't rely on anything but the distro repos or upstream downloads for tooling?

You can build more tooling by building it in the trusted build environment using trusted tools. Not everything has to be a distro package, but the provenance of each binary needs to be verifiable. That can include building your own custom tools from a particular commit hash that you trust.