For supply-chain security, you need basically two things; 1) audit all the source code 2) build the source code (almost) without using any binaries.

The CREV folks are working on distributed code review, and the Bootstrappable Builds folks are working on building an entire Linux distro without any existing binaries, starting from an MBR worth of commented machine code.

https://github.com/crev-dev/ https://bootstrappable.org/ https://lwn.net/Articles/983340/