Nice project, and an important step in the right direction.<p>Can't help but think that the real tricky part comes <i>after</i> provenance is recorded.<p>What do you do with all of that - is there something enforcing an allowlist/denylist using the data?<p>How is being kept updated with new builds and the CI/CD pipeline?
All the builds or just with a certain other metadata?
How do you handle exceptions?
How do you handle devs experimenting?<p>How are the attestation signing keys being protected?
I had tried to use Guix on one of my personal computers (instead of my usual, Arch Linux), but unfortunately since my knowledge of Guile Scheme was lacking, I had difficulties.<p>My pain points were essentially:<p>- The documentation was great from a reference standpoint, but unfortunately it was rough from an introductory point-of-view. I had great difficulty successfully setting up my own packages.<p>- Some tooling (such as asdf-vm[0]) didn't work, and it wasn't clear as to why. Note that this <i>was</i> something that I expected and was ready to work around as needed<p>- While I understand and agree with most of the GNU mantra of free software, it was simply difficult and unwieldy to use my laptop since it required non-free software (including but not limited to WiFi drivers). There is a "nonguix" package repo which can fill this need, but many of their support channels/forums prohibit discussion of non-free software.<p>Going forward, I really like the idea of Guix. I think if I were to try it again, I'd use it as a package manager on an Arch System, and get comfortable with the more advanced administration tasks before I installed the standalone OS again.<p>[0] - <a href="https://asdf-vm.com/" rel="nofollow">https://asdf-vm.com/</a>