[q66]

the above is not entirely correct, alpine does have and always had signed packages

in the other aspects most distros are generally not much or at all better, since all that stuff is hard and takes extra infrastructure

in chimera we try to make source bootstrap possible and in general not rely on third party executables, but it's not always possible (e.g. some language toolchains were bootstrapped from official binaries originally) and we try to respect best practices for reproducibility (pretty sure alpine does too) but actually verifying it would need dedicated infra/resources, so we don't do it