122 lines
3.7 KiB
Markdown
122 lines
3.7 KiB
Markdown
|
---
|
||
|
theme: gaia
|
||
|
_class: lead
|
||
|
paginate: true
|
||
|
backgroundColor: #fff
|
||
|
---
|
||
|
|
||
|
![bg left:40% 80%](img/stagex-logo.png)
|
||
|
|
||
|
Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
|
||
|
|
||
|
---
|
||
|
|
||
|
# **Minimalism and security first repository**
|
||
|
|
||
|
Most Linux distributions are built for **compatibility** rather than **security**
|
||
|
|
||
|
This results in a dramatic increase of attack surface area of an operating system
|
||
|
|
||
|
StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
|
||
|
|
||
|
---
|
||
|
|
||
|
# Rust "hello world"
|
||
|
|
||
|
```dockerfile
|
||
|
FROM stagex/busybox as build
|
||
|
COPY --from=stagex/rust . /
|
||
|
COPY --from=stagex/gcc . /
|
||
|
COPY --from=stagex/binutils . /
|
||
|
COPY --from=stagex/libunwind . /
|
||
|
RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
|
||
|
RUN rustc hello.rs
|
||
|
FROM scratch
|
||
|
COPY --from=build /home/user/hello .
|
||
|
CMD ["./hello"]
|
||
|
```
|
||
|
---
|
||
|
|
||
|
# **Reproducible and multi-signed**
|
||
|
|
||
|
All packages provided by StageX are built deterministically
|
||
|
|
||
|
All packages are reproduced by multiple developers to ensure their integrity
|
||
|
|
||
|
All packages are signed by well-known PGP keys after being successfully reproduced
|
||
|
|
||
|
---
|
||
|
|
||
|
# **OCI images**
|
||
|
|
||
|
StageX uses an open standard for images in order to allow the use of different container runtimes
|
||
|
|
||
|
OCI images makes StageX portable and easy to reproduce on all AMD based systems
|
||
|
|
||
|
The only available target at the moment is AMD.
|
||
|
|
||
|
---
|
||
|
|
||
|
# **Common open source software**
|
||
|
|
||
|
StageX supports 100+ packages, with a focus on supporting software commonly used by developers
|
||
|
|
||
|
Some of the currently available packages include: `curl`, `rust`, `git`, `go`, `bash`, `tofu`...
|
||
|
|
||
|
If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
|
||
|
|
||
|
---
|
||
|
|
||
|
# **Full source bootstrapped from Stage 0**
|
||
|
|
||
|
The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic
|
||
|
|
||
|
Bootstrapped - built up from "nothing" in order to allow verification of how the compiler is built - ensuring there is no malicious code added to it at any point.
|
||
|
|
||
|
Ken Thompson describes the risk of using a compiler which can't be verified to be trustworthy in his seminal paper "Reflections on Trusting Trust"
|
||
|
|
||
|
---
|
||
|
|
||
|
# **OK, So What?**
|
||
|
|
||
|
There is an entire family of supply chain vulnerabilities which can be eliminated by using StageX
|
||
|
|
||
|
By reducing the number of dependencies needed to run and build software, we remove unnecessary software which can act as an entry point for malicious software such as malware
|
||
|
|
||
|
For example, if using Debian as a base for `rust`, one ends up using **232 dependencies**, where as StageX only requires **4 dependencies**
|
||
|
|
||
|
---
|
||
|
|
||
|
Additionally, there has not been a simple way to verify that a compiler is trusted.
|
||
|
|
||
|
This is because compilers are used to build other compilers, and for a long time, we lost the ability to build up a compiler toolchain from "nothing"
|
||
|
|
||
|
StageX allows us to bootstrap the compiler toolchain, making it easy to verify that no malicious code was introduced at any point, by reviewing the code, and it also does so in a deterministic manner, which makes it simple to further verify the integrity of the binary
|
||
|
|
||
|
---
|
||
|
|
||
|
# **What's Next?**
|
||
|
|
||
|
Packaging more software
|
||
|
|
||
|
Adding additional container runtimes like Podman and Kaniko
|
||
|
|
||
|
Adding additional chip architecture support such as ARM and RISC-V
|
||
|
|
||
|
---
|
||
|
|
||
|
# **Links**
|
||
|
|
||
|
**Presenter**: <your_name>
|
||
|
|
||
|
**Matrix Chat**: #stagex:matrix.org
|
||
|
|
||
|
**Git Repo**: https://codeberg.org/stagex/stagex
|
||
|
|
||
|
Big thank you to sponsors who have supported the development of this project:
|
||
|
|
||
|
**Turnkey, Distrust, Mysten Labs**
|
||
|
|
||
|
|
||
|
|