diff --git a/stagex/stagex.md b/stagex/stagex.md index 0149524..18f0287 100644 --- a/stagex/stagex.md +++ b/stagex/stagex.md @@ -6,6 +6,13 @@ backgroundColor: #fff + + + ![bg left:40% 80%](img/stagex-logo.png) # Bootstrapping Reproducibility with StageX @@ -80,12 +87,6 @@ ENTRYPOINT ["/usr/bin/mnemonicgen"] Approach the development of a secure toolchain by ensuring each component uses exactly what it needs to build - no more, no less. - - ---- + +
+ + | Distribution | Signatures | Libc | Bootstrapped | Reproducible | Rust deps | |--------------|------------|-------|--------------|--------------|----------:| @@ -108,18 +122,11 @@ it builds, resulting in a decreased attack surface. - - - - +---> @@ -145,15 +152,17 @@ COPY --from=build /app/target/$TARGET/release/hello /usr/bin/hello CMD ["/usr/bin/hello"] ``` - - + + --- # All packages in StageX are: @@ -175,6 +184,7 @@ maintenance that is performed compared to most distributions. This includes: * Signed by the release maintainers. These maintainers each build a copy of the package locally and sign the containers with an OCI-compliant signature using well-known OpenPGP keys. +--- --> - - - --- # Multi-Signed OCI Images +Multiple maintainers can each sign individual images, with the container +runtime enforcing _multiple_ signatures by maintainers to ensure no individual +maintainer could have tampered with an image. + + + -Multiple maintainers can each sign individual images, with the container -runtime enforcing _multiple_ signatures by maintainers to ensure no individual -maintainer could have tampered with an image. - - - --- # Common toolchain dependencies @@ -312,7 +316,7 @@ According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysi > - SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. > - Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence. - --- @@ -376,7 +381,7 @@ Adding additional chip architecture support such as ARM and RISC-V --- -# **Links** +# Links **Matrix Chat**: #stagex:matrix.org @@ -385,6 +390,3 @@ Adding additional chip architecture support such as ARM and RISC-V Big thank you to sponsors who have supported the development of this project: **Turnkey, Distrust, Mysten Labs** - - -