stagex: rewrite a good chunk
This commit is contained in:
parent
2a64924484
commit
8f13f5cde2
129
stagex/index.md
129
stagex/index.md
|
@ -1,72 +1,151 @@
|
||||||
---
|
---
|
||||||
theme: gaia
|
|
||||||
_class: lead
|
_class: lead
|
||||||
paginate: true
|
paginate: true
|
||||||
backgroundColor: #fff
|
backgroundColor: #fff
|
||||||
---
|
---
|
||||||
|
|
||||||
|
<!-- __ -->
|
||||||
|
|
||||||
![bg left:40% 80%](img/stagex-logo.png)
|
![bg left:40% 80%](img/stagex-logo.png)
|
||||||
|
|
||||||
Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
|
# Bootstrapping Reproducibility with StageX
|
||||||
|
|
||||||
|
<!--
|
||||||
|
Minimalism and security first repository of reproducible and multi-signed OCI
|
||||||
|
images of common open source software toolchains full-source bootstrapped from
|
||||||
|
Stage 0 to the compiler and libraries you'll use.
|
||||||
|
-->
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# **Minimalism and security first repository**
|
# Minimalism and security first repository
|
||||||
|
|
||||||
Most Linux distributions are built for **compatibility** rather than **security**
|
Approach the distribution of a toolchain by ensuring each component uses
|
||||||
|
exactly what it needs to build - no more, no less.
|
||||||
|
|
||||||
This results in a dramatic increase of attack surface area of an operating system
|
<!--
|
||||||
|
TODO: include image describing traditional package building, by installing
|
||||||
|
_every_ dependency in a single OS, with a comparison of stagex only having mini
|
||||||
|
Containerfiles with just what each project needs.
|
||||||
|
-->
|
||||||
|
|
||||||
StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
|
<!-- Speaker notes
|
||||||
|
Most Linux distributions are built for *compatibility* rather than *security*.
|
||||||
|
This results in a dramatic increase of attack surface area of an operating
|
||||||
|
system. StageX is designed to allow the creation of application specific
|
||||||
|
environments with a minimal footprint to eliminate attack surface area. Each
|
||||||
|
component of the toolchain installs only what it needs, and only packages what
|
||||||
|
it builds, resulting in a decreased attack surface.
|
||||||
|
-->
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# Rust "hello world"
|
# A Rust Example
|
||||||
|
|
||||||
```dockerfile
|
```dockerfile
|
||||||
FROM stagex/busybox as build
|
FROM scratch AS build
|
||||||
|
COPY --from=stagex/busybox . /
|
||||||
COPY --from=stagex/rust . /
|
COPY --from=stagex/rust . /
|
||||||
|
COPY --from=stagex/musl . /
|
||||||
COPY --from=stagex/gcc . /
|
COPY --from=stagex/gcc . /
|
||||||
|
COPY --from=stagex/llvm . /
|
||||||
COPY --from=stagex/binutils . /
|
COPY --from=stagex/binutils . /
|
||||||
COPY --from=stagex/libunwind . /
|
COPY --from=stagex/libunwind . /
|
||||||
RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
|
ADD <<EOF hello.rs
|
||||||
|
fn main() {
|
||||||
|
println!("Hello, world!");
|
||||||
|
}
|
||||||
|
EOF
|
||||||
RUN rustc hello.rs
|
RUN rustc hello.rs
|
||||||
FROM scratch
|
FROM scratch
|
||||||
COPY --from=build /home/user/hello .
|
COPY --from=build ./hello .
|
||||||
CMD ["./hello"]
|
CMD ["./hello"]
|
||||||
```
|
```
|
||||||
---
|
|
||||||
|
|
||||||
# **Reproducible and multi-signed**
|
<!-- Speaker notes
|
||||||
|
In this example, note how we are only pulling in Rust and the dependencies
|
||||||
All packages provided by StageX are built deterministically
|
required to invoke Rust. We don't include anything extra, which reduces the
|
||||||
|
attack surface when compiling software.
|
||||||
All packages are reproduced by multiple developers to ensure their integrity
|
-->
|
||||||
|
|
||||||
All packages are signed by well-known PGP keys after being successfully reproduced
|
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# **OCI images**
|
# All packages in StageX are:
|
||||||
|
|
||||||
StageX uses an open standard for images in order to allow the use of different container runtimes
|
* Built using hash-locked sources
|
||||||
|
* Confirmed reproducible by multiple developers
|
||||||
|
* Signed by multiple release maintainers
|
||||||
|
|
||||||
OCI images makes StageX portable and easy to reproduce on all AMD based systems
|
<!-- Speaker notes
|
||||||
|
To ensure StageX remains a secure toolchain, there's some additional
|
||||||
|
maintenance that is performed compared to most distributions. This includes:
|
||||||
|
|
||||||
The only available target at the moment is AMD.
|
* Built using hash-locked sources. This ensures every developer gets the exact
|
||||||
|
same copy of the code for each container, so no middleman could inject
|
||||||
|
malware, which helps with:
|
||||||
|
* Reproducing projects, ensuring they're built deterministically. This confirms
|
||||||
|
that no single developer, nor their machine, have been compromised. Once each
|
||||||
|
package is confirmed, they are...
|
||||||
|
* Signed by the release maintainers. These maintainers each build a copy of the
|
||||||
|
package locally and sign the containers with an OCI-compliant signature using
|
||||||
|
well-known OpenPGP keys.
|
||||||
|
-->
|
||||||
|
|
||||||
|
<!-- TODO: talk about bootstrapping, incl. corrupt compilers in distro
|
||||||
|
toolchain -->
|
||||||
|
|
||||||
|
<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
|
||||||
|
|
||||||
|
<!-- TODO: libfakerand to act as the "why" -->
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
# **Common open source software**
|
# OCI Images
|
||||||
|
|
||||||
StageX supports 100+ packages, with a focus on supporting software commonly used by developers
|
<!--
|
||||||
|
Put some kind of graphic here to explain the association between images
|
||||||
|
and multisig
|
||||||
|
-->
|
||||||
|
|
||||||
Some of the currently available packages include: `curl`, `rust`, `git`, `go`, `bash`, `tofu`...
|
<!--
|
||||||
|
StageX uses the Open Container Initiative standard for images to support the
|
||||||
|
use of multiple container runtimes. Because OCI images can be signed using
|
||||||
|
OpenPGP keys, this allows the association of built images to signatures, which
|
||||||
|
can enable developers to build their software using StageX, without having to
|
||||||
|
build the entire StageX toolchain for themselves.
|
||||||
|
-->
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
# Common toolchain dependencies
|
||||||
|
|
||||||
|
StageX comes with developer-loved tooling and languages, such as:
|
||||||
|
|
||||||
|
* `rust`
|
||||||
|
* `go`
|
||||||
|
* `python`
|
||||||
|
* `curl`
|
||||||
|
* `git`
|
||||||
|
|
||||||
|
<!-- TODO: Add end-user software like tofu, stagex, ocismack, kubectl, etc. -->
|
||||||
|
|
||||||
If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
|
If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Pallets
|
||||||
|
|
||||||
|
StageX offers prebuilt containers including all the packages necessary to run
|
||||||
|
some of our most used software, such as:
|
||||||
|
|
||||||
|
* `kubectl`, `kustomize`, `helm`
|
||||||
|
* `keyfork`
|
||||||
|
* `nginx`
|
||||||
|
* `redis`
|
||||||
|
* `postgres`
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
# **Full source bootstrapped from Stage 0**
|
# **Full source bootstrapped from Stage 0**
|
||||||
|
|
||||||
The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic
|
The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic
|
||||||
|
|
Loading…
Reference in New Issue