>gentoo linux is actually based on non-free software
nobody claims otherwise
>gcc
gcc *is* free software you dumb shit
>the gcc source code isn't enough to compile gcc: you already need a precompiled gcc binary and there's no way to make that without gcc.
yes yes the age old question of what came first, the program or the compiler, the answer is other compilers came first which bootstrapped compiling gcc until gcc was self hosting as points out
"b-but how did the first compilers come about?"; they were compiled by hand
nonfree (trusted) compiler > free source (gcc) > gcc binary > free source (gcc) > free gcc binary
auditing the final binary is as easy as having two or more different initial compilers where only one ever needs to be trusted insofar as they're not all infected with the exact same virus, otherwise none of them need to be trusted to produce a trusted final gcc binary
>The CIA could easily infect that binary with a virus too.
how are they going to do this, exactly? gcc from gentoo is going to be about as trusted as gcc from literally any other distro, and sources obtained through portage are all signed, so the only way to infect the local copy of gcc is through already having privileged access, and if they have local access why the fuck would they be interested in performing a niche complicated attack that is just as susceptible to a clean reinstall as literally anything else?
>How do you know it's not putting keyloggers or backdoors into your music player etc.
>how do I security audit, mom?
this is by far the dumbest interpretation of the chain of trust issue I've ever seen, I wish the mods would do something about the 12 year olds on the board
(as a note gentoo is more susceptible to type of attack but the attack is irrelevant if they need privileged access in the first place)