Daniel Fullmer

> I just ran the test on NixOS 21.05 but I get this weird failure: > > ``` > Failed to set up mount namespacing: /run/systemd/unit-root/run/credentials/attestation-server.service: No such file or...

Could you remind me which device/flavor you were having issues with? Were you able to complete a build with enough zram, even with only 16GB of physical ram?

So, for `vanilla` builds, it should be possible to revert to the prebuilt kernel using `kernel.useCustom = false;`. However, this kernel is out-of-date and likely has security issues. Upcoming GrapheneOS...

There are, for example, some scripts in the kernel source dir like: https://github.com/GrapheneOS/kernel_google_sunfish/blob/501c771385ff1ceac889fb902feeba196368a00c/build.config.sunfish_no-cfi that look like the disable things like `CONFIG_LTO`, `CONFIG_CFI`, etc. But you'd have to track down how...

Added LTO+CFI memory usage note here: 6c6524dab08b3d16c2c5189c1bb03dee269becae

My previous reproducibility tests have been entirely on my own machine, so using the same kernel, filesystem, (probably) day of year, etc. Building again on another machine in a different...

I agree the documentation could use some serious improvement. I plan to (at least) add some autogenerated docs describing all the available robotnix options, as well as a FAQ for...

Another reason to remove `keyStorePath` and uses of IFD to get key/cert fingerprints: Nix flakes are evaluated in restricted mode, so we aren't able to access files outside of the...

So there's potentially two things here: 1) Some packages (Auditor, F-Droid, AVB, etc) need metadata about keys / certs (fingerprints, key sizes). We could make the generateKeysScript produce some additional...

Additional thoughts: 1) Let's separate the public and private keys into separate directories. We can replace `keySorePath` with an option that points to a directory containing only public keys, and...