public
/
presentations
5
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

stagex: rewrite a good chunk

This commit is contained in:
Ryan Heywood 2024-08-20 18:58:04 -04:00
parent d2d26433a9
commit a33a92449d
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
stagex/stagex.md
View File

@ -7,32 +7,49 @@ backgroundColor: #fff
![bg left:40% 80%](img/stagex-logo.png)
Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
Minimalism and security first repository of reproducible and multi-signed OCI
images of common open source software toolchains full-source bootstrapped from
Stage 0 to the compiler and libraries you'll use.
---
# **Minimalism and security first repository**
# Minimalism and security first repository
Most Linux distributions are built for **compatibility** rather than **security**
Approach the distribution of a toolchain by ensuring each component uses
exactly what it needs to build - no more, no less.
This results in a dramatic increase of attack surface area of an operating system
TODO: include image describing traditional package building, by installing
_every_ dependency in a single OS, with a comparison of stagex only having mini
Containerfiles with just what each project needs.
StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
<!-- Speaker notes
Most Linux distributions are built for *compatibility* rather than *security*.
This results in a dramatic increase of attack surface area of an operating
system. StageX is designed to allow the creation of application specific
environments with a minimal footprint to eliminate attack surface area. Each
component of the toolchain installs only what it needs, and only packages what
it builds, resulting in a decreased attack surface.
-->
---
# Rust "hello world"
```dockerfile
FROM stagex/busybox as build
FROM scratch AS build
COPY --from=stagex/busybox . /
COPY --from=stagex/rust . /
COPY --from=stagex/gcc . /
COPY --from=stagex/binutils . /
COPY --from=stagex/libunwind . /
RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
ADD <<EOF hello.rs
fn main() {
println!("Hello, world!");
}
EOF
RUN rustc hello.rs
FROM scratch
COPY --from=build /home/user/hello .
COPY --from=build ./hello .
CMD ["./hello"]
```
---