From beea47e1f647a6771e4cc5962c91f2132d5805b3 Mon Sep 17 00:00:00 2001
From: ryan <ryan@distrust.co>
Date: Tue, 20 Aug 2024 18:58:04 -0400
Subject: [PATCH] stagex: rewrite a good chunk

---
 stagex/stagex.md | 129 ++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 104 insertions(+), 25 deletions(-)

diff --git a/stagex/stagex.md b/stagex/stagex.md
index c9ea249..6e442dc 100644
--- a/stagex/stagex.md
+++ b/stagex/stagex.md
@@ -1,72 +1,151 @@
 ---
-theme: gaia
 _class: lead
 paginate: true
 backgroundColor: #fff
 ---
 
+<!-- __ -->
+
 ![bg left:40% 80%](img/stagex-logo.png)
 
-Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
+# Bootstrapping Reproducibility with StageX
+
+<!--
+Minimalism and security first repository of reproducible and multi-signed OCI
+images of common open source software toolchains full-source bootstrapped from
+Stage 0 to the compiler and libraries you'll use.
+-->
 
 ---
 
-# **Minimalism and security first repository**
+# Minimalism and security first repository
 
-Most Linux distributions are built for **compatibility** rather than **security**
+Approach the distribution of a toolchain by ensuring each component uses
+exactly what it needs to build - no more, no less.
 
-This results in a dramatic increase of attack surface area of an operating system
+<!--
+TODO: include image describing traditional package building, by installing
+_every_ dependency in a single OS, with a comparison of stagex only having mini
+Containerfiles with just what each project needs.
+-->
 
-StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
+<!-- Speaker notes
+Most Linux distributions are built for *compatibility* rather than *security*.
+This results in a dramatic increase of attack surface area of an operating
+system. StageX is designed to allow the creation of application specific
+environments with a minimal footprint to eliminate attack surface area. Each
+component of the toolchain installs only what it needs, and only packages what
+it builds, resulting in a decreased attack surface.
+-->
 
 ---
 
-# Rust "hello world"
+# A Rust Example
 
 ```dockerfile
-FROM stagex/busybox as build
+FROM scratch AS build
+COPY --from=stagex/busybox . /
 COPY --from=stagex/rust . /
+COPY --from=stagex/musl . /
 COPY --from=stagex/gcc . /
+COPY --from=stagex/llvm . /
 COPY --from=stagex/binutils . /
 COPY --from=stagex/libunwind . /
-RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
+ADD <<EOF hello.rs
+fn main() {
+    println!("Hello, world!");
+}
+EOF
 RUN rustc hello.rs
 FROM scratch
-COPY --from=build /home/user/hello .
+COPY --from=build ./hello .
 CMD ["./hello"]
 ```
----
 
-# **Reproducible and multi-signed**
-
-All packages provided by StageX are built deterministically
-
-All packages are reproduced by multiple developers to ensure their integrity
-
-All packages are signed by well-known PGP keys after being successfully reproduced
+<!-- Speaker notes
+In this example, note how we are only pulling in Rust and the dependencies
+required to invoke Rust. We don't include anything extra, which reduces the
+attack surface when compiling software.
+-->
 
 ---
 
-# **OCI images**
+# All packages in StageX are:
 
-StageX uses an open standard for images in order to allow the use of different container runtimes
+* Built using hash-locked sources
+* Confirmed reproducible by multiple developers
+* Signed by multiple release maintainers
 
-OCI images makes StageX portable and easy to reproduce on all AMD based systems
+<!-- Speaker notes
+To ensure StageX remains a secure toolchain, there's some additional
+maintenance that is performed compared to most distributions. This includes:
 
-The only available target at the moment is AMD.
+* Built using hash-locked sources. This ensures every developer gets the exact
+  same copy of the code for each container, so no middleman could inject
+  malware, which helps with:
+* Reproducing projects, ensuring they're built deterministically. This confirms
+  that no single developer, nor their machine, have been compromised. Once each
+  package is confirmed, they are...
+* Signed by the release maintainers. These maintainers each build a copy of the
+  package locally and sign the containers with an OCI-compliant signature using
+  well-known OpenPGP keys.
+-->
+
+<!-- TODO: talk about bootstrapping, incl. corrupt compilers in distro
+toolchain -->
+
+<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
+
+<!-- TODO: libfakerand to act as the "why" -->
 
 ---
 
-# **Common open source software**
+# OCI Images
 
-StageX supports 100+ packages, with a focus on supporting software commonly used by developers
+<!--
+  Put some kind of graphic here to explain the association between images
+  and multisig
+-->
 
-Some of the currently available packages include: `curl`, `rust`, `git`, `go`, `bash`, `tofu`...
+<!--
+StageX uses the Open Container Initiative standard for images to support the
+use of multiple container runtimes. Because OCI images can be signed using
+OpenPGP keys, this allows the association of built images to signatures, which
+can enable developers to build their software using StageX, without having to
+build the entire StageX toolchain for themselves.
+-->
+
+---
+
+# Common toolchain dependencies
+
+StageX comes with developer-loved tooling and languages, such as:
+
+* `rust`
+* `go`
+* `python`
+* `curl`
+* `git`
+
+<!-- TODO: Add end-user software like tofu, stagex, ocismack, kubectl, etc. -->
 
 If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
 
 ---
 
+# Pallets
+
+StageX offers prebuilt containers including all the packages necessary to run
+some of our most used software, such as:
+
+* `kubectl`, `kustomize`, `helm`
+* `keyfork`
+* `nginx`
+* `redis`
+* `postgres`
+
+---
+
 # **Full source bootstrapped from Stage 0**
 
 The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic