stagex: rewrite a good chunk
This commit is contained in:
parent
2a64924484
commit
8f13f5cde2
129
stagex/index.md
129
stagex/index.md
|
@ -1,72 +1,151 @@
|
|||
---
|
||||
theme: gaia
|
||||
_class: lead
|
||||
paginate: true
|
||||
backgroundColor: #fff
|
||||
---
|
||||
|
||||
<!-- __ -->
|
||||
|
||||
![bg left:40% 80%](img/stagex-logo.png)
|
||||
|
||||
Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
|
||||
# Bootstrapping Reproducibility with StageX
|
||||
|
||||
<!--
|
||||
Minimalism and security first repository of reproducible and multi-signed OCI
|
||||
images of common open source software toolchains full-source bootstrapped from
|
||||
Stage 0 to the compiler and libraries you'll use.
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
# **Minimalism and security first repository**
|
||||
# Minimalism and security first repository
|
||||
|
||||
Most Linux distributions are built for **compatibility** rather than **security**
|
||||
Approach the distribution of a toolchain by ensuring each component uses
|
||||
exactly what it needs to build - no more, no less.
|
||||
|
||||
This results in a dramatic increase of attack surface area of an operating system
|
||||
<!--
|
||||
TODO: include image describing traditional package building, by installing
|
||||
_every_ dependency in a single OS, with a comparison of stagex only having mini
|
||||
Containerfiles with just what each project needs.
|
||||
-->
|
||||
|
||||
StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
|
||||
<!-- Speaker notes
|
||||
Most Linux distributions are built for *compatibility* rather than *security*.
|
||||
This results in a dramatic increase of attack surface area of an operating
|
||||
system. StageX is designed to allow the creation of application specific
|
||||
environments with a minimal footprint to eliminate attack surface area. Each
|
||||
component of the toolchain installs only what it needs, and only packages what
|
||||
it builds, resulting in a decreased attack surface.
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
# Rust "hello world"
|
||||
# A Rust Example
|
||||
|
||||
```dockerfile
|
||||
FROM stagex/busybox as build
|
||||
FROM scratch AS build
|
||||
COPY --from=stagex/busybox . /
|
||||
COPY --from=stagex/rust . /
|
||||
COPY --from=stagex/musl . /
|
||||
COPY --from=stagex/gcc . /
|
||||
COPY --from=stagex/llvm . /
|
||||
COPY --from=stagex/binutils . /
|
||||
COPY --from=stagex/libunwind . /
|
||||
RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
|
||||
ADD <<EOF hello.rs
|
||||
fn main() {
|
||||
println!("Hello, world!");
|
||||
}
|
||||
EOF
|
||||
RUN rustc hello.rs
|
||||
FROM scratch
|
||||
COPY --from=build /home/user/hello .
|
||||
COPY --from=build ./hello .
|
||||
CMD ["./hello"]
|
||||
```
|
||||
---
|
||||
|
||||
# **Reproducible and multi-signed**
|
||||
|
||||
All packages provided by StageX are built deterministically
|
||||
|
||||
All packages are reproduced by multiple developers to ensure their integrity
|
||||
|
||||
All packages are signed by well-known PGP keys after being successfully reproduced
|
||||
<!-- Speaker notes
|
||||
In this example, note how we are only pulling in Rust and the dependencies
|
||||
required to invoke Rust. We don't include anything extra, which reduces the
|
||||
attack surface when compiling software.
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
# **OCI images**
|
||||
# All packages in StageX are:
|
||||
|
||||
StageX uses an open standard for images in order to allow the use of different container runtimes
|
||||
* Built using hash-locked sources
|
||||
* Confirmed reproducible by multiple developers
|
||||
* Signed by multiple release maintainers
|
||||
|
||||
OCI images makes StageX portable and easy to reproduce on all AMD based systems
|
||||
<!-- Speaker notes
|
||||
To ensure StageX remains a secure toolchain, there's some additional
|
||||
maintenance that is performed compared to most distributions. This includes:
|
||||
|
||||
The only available target at the moment is AMD.
|
||||
* Built using hash-locked sources. This ensures every developer gets the exact
|
||||
same copy of the code for each container, so no middleman could inject
|
||||
malware, which helps with:
|
||||
* Reproducing projects, ensuring they're built deterministically. This confirms
|
||||
that no single developer, nor their machine, have been compromised. Once each
|
||||
package is confirmed, they are...
|
||||
* Signed by the release maintainers. These maintainers each build a copy of the
|
||||
package locally and sign the containers with an OCI-compliant signature using
|
||||
well-known OpenPGP keys.
|
||||
-->
|
||||
|
||||
<!-- TODO: talk about bootstrapping, incl. corrupt compilers in distro
|
||||
toolchain -->
|
||||
|
||||
<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
|
||||
|
||||
<!-- TODO: libfakerand to act as the "why" -->
|
||||
|
||||
---
|
||||
|
||||
# **Common open source software**
|
||||
# OCI Images
|
||||
|
||||
StageX supports 100+ packages, with a focus on supporting software commonly used by developers
|
||||
<!--
|
||||
Put some kind of graphic here to explain the association between images
|
||||
and multisig
|
||||
-->
|
||||
|
||||
Some of the currently available packages include: `curl`, `rust`, `git`, `go`, `bash`, `tofu`...
|
||||
<!--
|
||||
StageX uses the Open Container Initiative standard for images to support the
|
||||
use of multiple container runtimes. Because OCI images can be signed using
|
||||
OpenPGP keys, this allows the association of built images to signatures, which
|
||||
can enable developers to build their software using StageX, without having to
|
||||
build the entire StageX toolchain for themselves.
|
||||
-->
|
||||
|
||||
---
|
||||
|
||||
# Common toolchain dependencies
|
||||
|
||||
StageX comes with developer-loved tooling and languages, such as:
|
||||
|
||||
* `rust`
|
||||
* `go`
|
||||
* `python`
|
||||
* `curl`
|
||||
* `git`
|
||||
|
||||
<!-- TODO: Add end-user software like tofu, stagex, ocismack, kubectl, etc. -->
|
||||
|
||||
If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
|
||||
|
||||
---
|
||||
|
||||
# Pallets
|
||||
|
||||
StageX offers prebuilt containers including all the packages necessary to run
|
||||
some of our most used software, such as:
|
||||
|
||||
* `kubectl`, `kustomize`, `helm`
|
||||
* `keyfork`
|
||||
* `nginx`
|
||||
* `redis`
|
||||
* `postgres`
|
||||
|
||||
---
|
||||
|
||||
# **Full source bootstrapped from Stage 0**
|
||||
|
||||
The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic
|
||||
|
|
Loading…
Reference in New Issue