== Guix vs. Commercial OS Platforms in Air-Gapped Environments

|| '''Feature / Concern''' || '''Guix System''' || '''RHEL / Windows (Commercial Vendors)''' ||
|| Reproducible builds || Full functional package manager with bit-for-bit reproducibility || Rare, not the default; often impossible to verify ||
|| Declarative system configuration || Entire OS and services declared in one file (config.scm)	|| Partial via kickstart (RHEL) or Group Policy (Windows) ||
|| Source-based verification || Build everything from source with pinned hashes	|| Can build some packages from source (e.g. SRPMs), but not guaranteed or easy ||
|| Transparent dependency graph	|| guix graph, complete dependency visibility || Opaque; relies on vendor tooling or trust ||
|| Custom internal repositories	|| Simple to set up private channels or mirrors	|| Possible but complex (e.g., Satellite, WSUS, SCCM) ||
|| Air-gap support (by design) || Built-in tools for exporting and importing sources (guix archive) || Requires extra software and policies ||
|| System rollback and audit trail || Native support for generations and rollbacks || Possible with snapshots or backups; not reproducible ||
|| Security patching control || You control exactly when and how updates are applied; reproducible || Updates are controlled by vendor timelines or manual QA workflows ||
|| Proprietary trust requirement || No vendor black-box binaries required || Trust required in vendor-signed binaries ||
|| Compliance alignment (e.g., CIS, STIG) || Manual setup, but full control || Vendor-provided baselines, common in regulated environments ||
|| Support & certification || Community or niche consulting || Enterprise support, certifications (Common Criteria, etc.) ||

== Security & Supply Chain Control

=== Guix System:

* You can inspect, audit, and rebuild every component of your system — from the kernel to applications — using cryptographically pinned source inputs.

* The entire dependency graph is traceable and reproducible, even across machines and time.

* Perfectly suited for classified or national security work, where vendor trust cannot be assumed.

=== RHEL / Windows:

* You receive pre-built binaries signed by the vendor.

* You often trust opaque CI/CD systems outside your control.

* Reproducing or auditing software at a fine-grained level is non-trivial or impossible.

== Tooling and Maintenance

=== Guix System:

* You define everything declaratively — no surprises at runtime.

* You can script, version-control, and diff system changes like source code.

* Integration with CI/CD is powerful but requires Scheme fluency and a Unix mindset.

=== RHEL / Windows:

* You use vendor tools (e.g., Satellite, WSUS, SCCM) to manage updates and installations.

* Configuration drift is common without complex tools like Ansible, Puppet, or GPO.

* More user-friendly, but less introspectable.

== Air-Gap Suitability

=== Guix System:

* Designed for air-gapped reproducibility.

* You can export all sources via guix archive or guix pack.

* Build servers can remain '''offline and secure'''.

=== Commercial Systems:

* Air-gap support is not native.

* Requires additional tooling for mirroring updates, verifying patches, and avoiding telemetry.

* Licensing and activation can be problematic offline.

== Risk Mitigation in Classified Contexts

|| '''Risk''' || '''Guix Mitigation''' || '''RHEL/Windows Mitigation''' ||
|| Supply chain tampering || Build everything from trusted source || Trust vendor signatures and processes ||
|| Configuration drift || Fully declarative system + rollbacks || Ansible, Puppet, GPO ||
|| Covert binaries / blobs || Avoided by default (FOSS only) ||	Often required for hardware drivers, tools ||
|| Forced updates / phones-home	|| None unless added by user ||	Needs group policy / firewall control ||

== When to Use What?

Choose Guix if:
* You need maximum transparency and reproducibility.
* You operate in a high-assurance, '''national security''', or research environment.
* You can tolerate a steeper learning curve and limited vendor support.

Choose RHEL / Windows if:

* You need certified support, pre-approved baselines, or are bound by specific compliance standards (e.g. NIST, CIS).
* Your staff is trained in those ecosystems and you prioritize vendor backing over code transparency.
* You're in regulated industry and want '''checkbox compliance''' with minimal friction.

== Final Thoughts

Guix System offers unparalleled control, auditability, and air-gap suitability, but requires organizational commitment and technical maturity.
Commercial platforms offer smoother compliance workflows and official support, but at the cost of transparency and independence.

["Security considerations" back]