I think relying on untrusted compute to execute highly sensitive steps is way to hard for a phase 1. I would say if someone is publishing without testing or confirmation that what they put into the pipeline hasn't been tampered with is their fault until you put a "1" after the "v".

I think the an easy poc for this would be output the logs of the build for 1 sat, reveal location of the build output file/artifact for the rest of the cost of the dvm (be it blossom or s3 or whatever).

But what you're really talking about building is exactly what aws code build is, but from scratch. The problem is, if code build gave me a virus instead of my build artifact, could sue them. If someone with a DVM returns you back a virus you have no reprocussions, and they can just start a new npub and move on.

So you're gunna have to build super strict managed pipelines AND require it to be run multiple times to confirm they have the same results and you still are uncertainty about reliability. The only way around this would be heavy test automation on the build on another dvm entirely.

Or am I overthinking this