From 21315e333447061bcd708da678062b62e58eded1 Mon Sep 17 00:00:00 2001 From: tobtoht Date: Thu, 3 Oct 2024 17:06:42 +0200 Subject: [PATCH] guix: update README.md --- contrib/guix/README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/contrib/guix/README.md b/contrib/guix/README.md index 15c564b..e5e6e9e 100644 --- a/contrib/guix/README.md +++ b/contrib/guix/README.md @@ -6,18 +6,21 @@ Bootstrappability allows us to _audit and reproduce_ our toolchain instead of bl Our build environment can be built from source, [all the way down](https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/). It allows us to reduce our supply chain attack surface by only including the packages that we need, and nothing else. -We achieve bootstrappability by using Guix as a functional package manager. Guix runs on any Linux distribution and on +We achieve bootstrappability by using [Guix](https://guix.gnu.org/) as a functional package manager. Guix runs on any Linux distribution and on most architectures (x86_64, aarch64, riscv64). To produce reproducible release binaries, you only need to install Guix and run the build script. -Unlike Gitian, we are not limited to the package set of a particular Ubuntu version. Guix allows us to pick and choose +Unlike [Gitian](https://github.com/devrandom/gitian-builder), we are not limited to the package set of a particular Ubuntu version. Guix allows us to pick and choose our toolchains. We are able to use the latest compilers while targeting older versions of glibc. Packages that are not -available in Guix can easily be defined in the manifest or upstreamed. +available in Guix can easily be defined in the [manifest](https://github.com/feather-wallet/feather/blob/master/contrib/guix/manifest.scm) or upstreamed. Guix allows us to modify any detail about our build environment with ease. Debugging build issues takes less time because we have shell access to the build environment. Our source code is bind mounted into the container, so edits to package definitions can be tested incrementally. +Feather releases are independently reproduced and cryptographically attested to by multiple contributors. +You can submit attestations to the [feather-sigs](https://github.com/feather-wallet/feather-sigs) repo. + # Requirements Conservatively, you will need an x86_64 machine with: