Yesterday my SSD arrived. It’s the last piece of hardware I need to get to work on this aspect of the project: the Island of Sanity, the beginning of an Archipelago.
Part of the role that the new machine will fill is that of building and deploying OS images and other software, not only for itself (an “island”) but for other devices on my network (“archipelago”). I have not built a suitable network yet. PXE is not compatible with wifi, so a switch and some wires are in my future.
The goal here is that as much as possible of the code run within the perimeter is built by and runs within processes I trust. Here’s an example of how this works: in order to install GuixSD, I need to acquire a disk image. I can download one from guix.gnu.org, and provided I trust gnu.org’s certificate I can trust that the file I downloaded matches the one they meant to provide. Doing so is an extra step, and requires that I place my trust in an extra cert that is not already in my chain of trust. Instead, I have installed Guix package manager as a Debian package. I am already trusting Debian’s keyring for all the software on this machine (except for Firefox and other things unsigned by that keyring, more on that later.) The Debian package already knows to trust the sources (from ci.guix.gnu.org iirc) that are defined in its default config (as with everything else in guix configs, this is a .scm file) and it doesn’t need anything else to build me an OS image. Using the local guix to build and configure the eventual OS image that will replace it will take longer and add extra steps, but it will be educational. If anything interesting happens I will blog about it here 🙂
And what does it mean that I trust these things? In this case, “trust” means I accept the risk that the source data I get from these defined providers might not match what they provide, or that the provider might act with malice. All this rigmarole around encryption, authentication, reproducibility, and so forth is to measure and mitigate those risks to the best of my ability, with the assistance of the providers.