See the sovereign tech fund web site: https://www.sovereign.tech/tech

Arch Linux's package management is only one out of many open source projects that are being financially supported.

I think the tweet is just FUD (Fear, Uncertainty and Doubt)

"Rust is self-hosting: To build a new rustc, you need an existing rustc binary (usually the previous stable release). This creates a chain of trust that goes back to the very first bootstrap (historically from OCaml, but modern versions rely on prior Rust binaries).

If any link in that historical chain was ever compromised the backdoor can live on indefinitely.

Unlike C/C++ (which has diverse independent compilers like GCC, Clang, MSVC), Rust has essentially one production compiler (rustc). This makes diverse double-compilation (DDC), the main defense, much harder. DDC involves compiling the compiler source with multiple independent compilers and checking that the outputs match (proving the binary corresponds to the source). With only one mature compiler, you can't easily cross-verify.

There have been public demonstrations of exactly this kind of attack working on Rust (e.g., Manish Goregaokar's "Reflections on Rusting Trust" in 2016."

https://x.com/lmilsfsd/status/2011920950070046787

This just post just seems like a conspiracy theory.

To quote a commenter on X:

> There's no way you're this retarded