I'm fairly sure fsharp has always been open source, or at least it was open sourced very early. Somewhat pioneering of MS approach to licensing basic development tools.
You're still going to have to download a binary from Microsoft. This is the nature of self hosting compilers. It would be nice if there were an alternative implementation (say, a gcc or llvm front end) that you could bootstrap it from but that's not how it is right now.
This creeped me out just enough that I haven't played with it. Microsoft has changed a lot but downloading Linux binaries from them is still just a bit too much.
The F# compiler seems to be written in F#. Therefore, you need to already have an F# compiler to build it. That GitHub repo mentions that "You will also need the latest .NET 5 SDK", which looks like it includes F#. (Presumably, when the language was first written, there existed a compiler written in some other language. However, that compiler is almost certainly not maintained anymore, so it wouldn't be able to compile today's compiler, which probably uses language features added since then.)
None? That's not what they are arguing against. You can see and compile the F# code, but since you need for that to use an already built compiler provided by Microsoft, you need to trust it.
Even compiling the compiler and then use that compiler to compile your code doesn't help, because the first compiler that was compiled by someone's else might tamper the resulting compiler binary.
So why are you still looking for issues when there's solutions avoiding their stated objection?
> Even compiling the compiler and then use that compiler to compile your code doesn't help
So what's the threat model now? that MS will risk their reputation, established business models and subject themselves to liability to poison the bootstrapped compiler to detect when a modified F# compiler is being built so they can inject vulnerabilities into all new modified F# compilers ensuring they're similarly poisoned whilst avoiding detection from easily disassembled byte code (that can be crossed checked against its original source), Does that sound plausible?
That's not an answer, you are building the compilers and tools from source, the only reason not to trust the builds of a cloud hosted build environment is if you believe Microsoft is maliciously poisoning builds of OSS compilers its compilers build in a way that escapes detection from its easily disassembled byte code of the compiler and everything it generates, including other modified F# compilers it builds which has to somehow retain its reciprocal poisonous code - all undetected.
