I'm working on a fully static-link as first class, fully correct `pkg-config` information, fully re-`ar`'d (e.g. `-labsl`, `-lboost`, many other difficult deps work already) set of libraries that default in `libressl`, `musl`, and other pro-user / anti-telemetry choices expressed as overlays on `nixpkgs` that build .deb files (among other things) to leverage the enormous package set to get a complete system with an effort realistic for an individual to bootstrap to the "interesting" phase.
This uses bad things (cmake-only, Debian policy agenda) things that work against their creators: cmake outputs enough information to create correct `pkg-config` for example.
This would make it realistic to zero-backdoor an Ubuntu-style system.
For 30 years Linus has been holding the line on a stable kernel ABI and only FAANGs and HFT shops have reaped the full benefits.