> If Firefox has vulnerabilities in the source right now, you do little to protect yourself by compiling on your own.
You do more to protect yourself than taking the same vulnerable source and compiling it with Mozilla's "reproducible build chain".
If the source itself is corrupt then having a verified build of malicious source is completely useless.
With Gentoo you can verify the source itself matches the "trusted" upstream source and then build it with your own trustworthy build chain.
And before you go "what if your build chain isn't trustworthy huh????" think about it a little further... if your own local build chain can't be trusted you're already screwed even before you download anything from mozilla.org, just as you'd be if you downloaded a "bit verified" binary from mozilla to run on your already-pwned local operating system.
No you don't. You do nothing to protect yourself from vulnerabilities in the code by compiling it yourself. Literally nothing.
You do protect yourself from vulnerabilities in their toolchain. And this is where the effort makes sense. If there are differences in the builds, then you can at least suspect one of you has a tampered environment. Right now, you have no way of knowing that one way or the other. You just have the joy of having done your own build.
My main question is still just one of magnitude. Consider, I have not had a wreck or other car mishap in 20 years. I could conclude that seatbelts, then, have not increased my safety really. I am not trying to make that claim, as I feel it is false. So, my question here is essentially, how much safer would this really make things? (Or trustworthy, if you'd rather that term.)
You do more to protect yourself than taking the same vulnerable source and compiling it with Mozilla's "reproducible build chain".
If the source itself is corrupt then having a verified build of malicious source is completely useless.
With Gentoo you can verify the source itself matches the "trusted" upstream source and then build it with your own trustworthy build chain.
And before you go "what if your build chain isn't trustworthy huh????" think about it a little further... if your own local build chain can't be trusted you're already screwed even before you download anything from mozilla.org, just as you'd be if you downloaded a "bit verified" binary from mozilla to run on your already-pwned local operating system.