by dragonsh on 7/18/22, 12:51 AM with 6 comments
by T3OU-736 on 7/18/22, 1:42 PM
Can't help but think that the real tricky part comes after provenance is recorded.
What do you do with all of that - is there something enforcing an allowlist/denylist using the data?
How is being kept updated with new builds and the CI/CD pipeline? All the builds or just with a certain other metadata? How do you handle exceptions? How do you handle devs experimenting?
How are the attestation signing keys being protected?
by mikedelago on 7/18/22, 2:29 PM
My pain points were essentially:
- The documentation was great from a reference standpoint, but unfortunately it was rough from an introductory point-of-view. I had great difficulty successfully setting up my own packages.
- Some tooling (such as asdf-vm[0]) didn't work, and it wasn't clear as to why. Note that this was something that I expected and was ready to work around as needed
- While I understand and agree with most of the GNU mantra of free software, it was simply difficult and unwieldy to use my laptop since it required non-free software (including but not limited to WiFi drivers). There is a "nonguix" package repo which can fill this need, but many of their support channels/forums prohibit discussion of non-free software.
Going forward, I really like the idea of Guix. I think if I were to try it again, I'd use it as a package manager on an Arch System, and get comfortable with the more advanced administration tasks before I installed the standalone OS again.
[0] - https://asdf-vm.com/