Parity Attestation
Attestation is what separates Vrtmv from a package-renaming script. Every migration produces evidence that an auditor can rely on.
The attestation report
vrtmv migrate writes, alongside the Ansible role, a vrtmv-attestation.json. It records:
- the source and target releases;
- the depersonalized VM fingerprint and the anchors it was derived from (audit transparency);
- each translated canonical, its target packages, and its graded confidence;
- packages that resolved to no canonical, and canonicals with no translation to the target;
- manual runbook steps and caveats from conditionals that fired or could not be evaluated;
- config-path relocations that need operator attention.
Because conditionals are evaluated locally against the real inventory, the report is specific to the host that produced it — not a generic mapping.
Honesty over completeness
The report distinguishes clearly between what Vrtmv translated, what it could not, and what it could not determine. An unevaluable predicate becomes a caveat, not an assumption. A canonical with no vetted translation is reported as untranslated rather than guessed. Silence — the absence of a row — is treated as a truthful "nothing to report", not a gap to paper over.
This discipline is deliberate: a fabricated mapping that looks authoritative is worse than an acknowledged gap, because an auditor may rely on it.
Fingerprints
The VM fingerprint is a one-way hash derived from stable host anchors (such as machine-id, fstab, and boot UUIDs). It lets Vrtmv recognise the same VM across runs — for metering and for linking a maintenance re-scan to its initial migration — without carrying any host identity off the machine.