I often wonder about what priorities lead to the kind of focus on the build system as a supply chain attack vector. It seems unusual that you are in a position where you have a chunk of code you want to build and have to trust the system that builds it but not the code, especially in a situation where such concerns can't be adequately addressed through sandboxing the build system. Personally if I was concerned about the supply chain I wouldn't worry about 5.6k lines of rust code running during the build and more the >200k (extremely conservative estimate) lines running on the actual system. (not that you can ignore the build system since of course it can inject code into the build, just that it's such a small part of the workload of reviewing the dependencies it shouldn't really be worth mentioning).
I guess the major thing is opening up the code to review it in an editor of choice and then having an LSP server running the build scripts automatically without you realizing it.
Reviewing code that you don't trust seems to be a pretty logical thing, and most people probably wouldn't expect that opening the code up in their favorite editor could cause their system to be harmed!
