[dbaupp]

If you're trying to encourage people to implicitly trust as few things as possible, I'm not sure your suggested steps are enough: there's no connection between the code in pgen on crates.io and that repository. Even setting aside the prebuilt rust and cargo, I think there would have to be a guarantee that the code being built is the code the suspicious user actually inspected:

  git clone https://github.com/ctsrc/pgen
  cd pgen
  less src/main.rs build.rs # etc.
  cargo install # (installs the current package)

And, one would have to somehow do the same for the dependencies clap and rand, to ensure the code that is built is the code that is inspected.

It's true that avoiding pre-built binaries does avoid issues with the computer that builds them, and problems with the distribution mechanism, but instead distributing as source from external package repositories (and packages maintained by others) seems like it's losing convenience without gaining much security.

In any case, neat project! I like the option to throw physical dice.