@Lachu: the official Nim packages in Debian are using reproducible builds successfully.
@cheatfate: sounds like you are describing staticRead and staticExec as a way to obfuscate malicious code. There are many other ways to obfuscate Nim code e.g. with complex macros. I wonder if sandboxing a build would be effective when the run is not sandboxed. OTOH sandboxing both build and run is certainly a good thing. Yet, I see value in sandboxing Nimble builds to improve reproducibility across different hosts / OSes to help debugging.
