Let's add a TODO here. No instructions on how to do that.
Let's add a TODO here.
Where does this transaction request get saved? Presumably icepick workflow sol-get-blockhash-and-broadcast will expect a well-known location?
Let's add a TODO here.
I've read through this a few times and I'm unsure what the third operator is doing. Are they simply the person walking MicroSD cards between online and offline machines?
- Are we formatting any MicroSD cards at the end of this process?
This makes sense. Please include information on where to source these. I imagine they're pretty big, if they can hold an entire boxed laptop.
A consolidated list of materials to purchase would be helpful.
In my experience, the glitter on the screws was difficult to verify from photographs. I personally had a reasonable degree of confidence that the glitter matched the photographs, but I was the only one of three of people who was able to say so with any confidence.
Will the privacy screen make it more difficult to photograph generated QR codes?
"vacuum sealed bar"? Should this be "vacuum sealed bag"?
For the image signing: is this an established PGP key with a fingerprint published somewhere? Is there some way for all parties to be certain that the signed images are from Purism and that they have not been replaced by images taken by the individual responsible for procuring the laptop(s)?
See previous comments about glitter. This has not provided adequate confidence in the past.
I'm going through these docs top-to-bottom. I'll submit reviews in chunks so that you can start addressing comments.
I believe this doesn't affect the rendered output, but the numbering is off here.
How is the access log implemented?
Commented above about the same being done for the laptop itself. If you haven't already, please reach out to Purism on this.
Here:
To ensure that hardware is compatible, it can be tested by bringing an SD card with AirgapOS loaded on it, and testing booting to a floor model in the store.
Above:
Alternatively…
Is it actually feasible to ask to disable secure boot and attempt to boot an OS from a medium that we're bringing into the store? I feel like that would be met with a lot of resistance.