Consider building tor-browser-build containers with Bitcoin Core's Guix-based system
Bitcoin Core recently merged a PR from Carl Dong (from Chaincode Labs) that allows building Bitcoin Core using containers that are constructed via GNU Guix, instead of using an OS ISO or debootstrap. This provides better security against supply-chain attacks by reducing the amount of trusted binary code used to bootstrap the build system. Bitcoin Core intends to use Carl's system as a replacement for Gitian.
It would be interesting to investigate whether tor-browser-build could transition to constructing its containers via Bitcoin Core's new system instead of using debootstrap.
A talk that Carl gave at Breaking Bitcoin about the new system is here:
https://www.youtube.com/watch?v=I2iShmUTEl8
A transcript of Carl's talk (transcribed by Bryan Bishop) is here:
https://diyhpl.us/wiki/transcripts/breaking-bitcoin/2019/bitcoin-build-system/
Here's the PR that Carl submitted to Bitcoin Core:
https://github.com/bitcoin/bitcoin/pull/15277
And here's the documentation in Bitcoin Core's master branch:
https://github.com/bitcoin/bitcoin/tree/master/contrib/guix
GNU/Linux targets are already working and are merged; macOS and Windows are working as well but I think Carl hasn't gotten those merged to Bitcoin Core yet. I have no idea what the situation is with Android/Linux.
Bitcoin Core isn't yet using Carl's system to build their official binaries, so it might be wise for Tor to let Bitcoin Core torture-test the code a bit in production first, but it does look like a very nice system, and it would be great to see it used for Tor Browser in the future.