I don't want to be distributing pre-compiled binaries because I don't want others to trust random pre-compiled binaries.
The plan as I said is to get pgen into some package manager repos. Until then building from source will be the only way I will encourage anyone to get a copy of my tool.
I don't think encouraging people to download the precompiled Rust binaries and then blindly compile code downloaded from crates.io is that much different in practice to providing your binaries.
If you're trying to encourage people to implicitly trust as few things as possible, I'm not sure your suggested steps are enough: there's no connection between the code in pgen on crates.io and that repository. Even setting aside the prebuilt rust and cargo, I think there would have to be a guarantee that the code being built is the code the suspicious user actually inspected:
git clone https://github.com/ctsrc/pgen
cd pgen
less src/main.rs build.rs # etc.
cargo install # (installs the current package)
And, one would have to somehow do the same for the dependencies clap and rand, to ensure the code that is built is the code that is inspected.
It's true that avoiding pre-built binaries does avoid issues with the computer that builds them, and problems with the distribution mechanism, but instead distributing as source from external package repositories (and packages maintained by others) seems like it's losing convenience without gaining much security.
In any case, neat project! I like the option to throw physical dice.
The plan as I said is to get pgen into some package manager repos. Until then building from source will be the only way I will encourage anyone to get a copy of my tool.