Build stage0 from older guix image?

Right now we rely on Debian to generate stage 0. I am considering to replace that with Trisquel for a more libre workflow. However then I realized why not use Guix? We have build images that can be used to generate the new images.

Is that a good idea? I worry that this leads to a trusting-trust circular problem, and my head doesn't cooperate when I try to convince myself that the bootstrapping properties inherent in Guix really cancel this out fully.

Maybe we could build newer images based on earlier versions but ALSO build newer images from Debian. Or Trisquel.

We need to check that the resulting Debian-built images are identical to the Guix-built images, for the same Guix commit, but I believe they would be.

With the recent docker tarball reproducability fixes in Guix, rebuilds of the container images are identical when I run it even weeks later to reproduce things.

Doing two builds of the same image from different environments proves that we are not hiding some trusting-trust bug in the earlier Guix image, since we get the same result when built from a Debian image. Of course, in practice there are tons of other ways to introduce trusting-trust concerns anyway, but this setup would at least address one theoretical concern.