I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.

When you accept government gift in approval consider it tapped. At any point they can return to the vendor and go "install this". No? Okay bye to your certification.

Call me paranoid.

> I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.

I bet you would, though, if the built OS image were 100% reproducible except for the signature. Once you have a fully reproducible Linux OS build, you can literally copy paste the cryptosig from the vendor and it will work with the image you built yourself from source that you inspected yourself. Then it’s impossible for the government to tap it without breaking the reproducible image checksum and thus the published cryptosig. It’s a better defense than any warrant canary would be, and it satisfies your concerns fully.

Arch shows only 15 packages left for their core OS to be built reproducibly; what I don’t see at their dashboard is the state of their ISO build reproducibility, but I imagine that’s the same as the core, so maybe it’s just unstated for obviousness. https://reproducible.archlinux.org/

Does GrapheneOS publish their repro build efforts as a dashboard anywhere?