(no title)

I think the biggest missing bit in Tinfoil is lack of full source bootstrapped deterministic builds. That is an absolute requirement to ensure no single member of the supply chain, such as a single Debian maintainer or a Tinfoil release engineer cannot tamper with the image.

Also there is the issue that the debian and ubuntu packages you rely on can change from one day to the next etc.

I went down that road for over a year, building a whole package.json style hash locking system on top of apt only to abandon it realizing no existing Linux distribution was up to the task from a trust and security perspective. Even a lot of the packages Debian claims are reproducible, like rust, are actually just built from unverifiable binary blobs from the internet. It was a sad realization that the reproducibility of all existing distros has some huge asterisks.

So my team and I at Distrust started StageX to be the first container native Linux distribution and the first that trusts no single human or system, now at the heart of enclaves at Mysten Labs, Turnkey, etc. Totally FOSS though donations or support contracts are always welcome.

Took a look at your image generation setup and it could certainly be ported to stagex to have a completely verifiable, deterministic, and tamper evident supply chain.

https://stagex.tools

By all means reach out if you want help! Not many of us working on this sort of thing.