…by “trustworthy”, I mean something more like the CompCert compiler for C. Since that Guix article briefly mentioned it, Ken Thompsons “trusting trust” attack involves the surreptitious addition of self-propagating code during the compilation process. Using something like CompCert would seem to make such an activity vastly more difficult.
The only other mitigation technique I’m aware of is described by Yrjan Skrimstad in his thesis, which involves the use of multiple compilers…an approach not currently applicable to Haskell, as there’s currently only one widely-supported compiler.
One detail that seems to have been overlooked in this endeavour is the ongoing maintenance required to keep it working - it’s next to useless to have this work only once. I would have thought the rasion d’être of bootstrapping is for someone in the future to be able to repeat the process, in order to assure themselves that Haskell is still “soundly-sourced”…any volunteers for maintaining Hugs again after all these years?
At the risk of being repetitive: I strongly suggest contacting the bootstrappable project about the “acceptability” of using Hugs in this way before investing any serious effort into doing so. Assuming they approve: all the best with this endeavour - it would certainly be an interesting one to watch!