Yeah that's definitely true -- throwing your server away is no good if the machine image/setup flow you're using is insecure. Nix/Guix + the long list of distros working on it are all going in the right direction to fix this problem -- but I find it hard to believe that instead of just waiting for Debian reproducible builds (or some other vendor provided option) people will all switch to Nix/Guix.
Above the VM layer (@ the sandboxed process i.e. container layer), TUF[0] + Notary[1] + compliant image registries + attestation tools are helping to solve this problem which is nice.
Indeed, many distros tackle the reproducibility issue. But for the better part (and because of history), it can only be an after-thought, some extra layers that tries to fix the existing system.
The fundamental difference with Nix and Guix is that it's "reproducibility by design". A much more sustainable approach in my opinion.
Above the VM layer (@ the sandboxed process i.e. container layer), TUF[0] + Notary[1] + compliant image registries + attestation tools are helping to solve this problem which is nice.
[0]: https://theupdateframework.github.io/
[1]: https://github.com/theupdateframework/notary