stagex: rewrite a good chunk

2024-08-20 18:58:04 -04:00 · 2024-08-20 18:58:04 -04:00 · beea47e1f6
parent d2d26433a9
commit beea47e1f6
1 changed files with 104 additions and 25 deletions
--- a/stagex/stagex.md
+++ b/stagex/stagex.md
@ -1,72 +1,151 @@
 ---
 theme: gaia
 _class: lead
 paginate: true
 backgroundColor: #fff
 ---
 <!-- __ -->
 ![bg left:40% 80%](img/stagex-logo.png)
-Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
+# Bootstrapping Reproducibility with StageX
 <!--
 Minimalism and security first repository of reproducible and multi-signed OCI
 images of common open source software toolchains full-source bootstrapped from
 Stage 0 to the compiler and libraries you'll use.
 -->
 ---
-# **Minimalism and security first repository**
+# Minimalism and security first repository
-Most Linux distributions are built for **compatibility** rather than **security**
+Approach the distribution of a toolchain by ensuring each component uses
 exactly what it needs to build - no more, no less.
-This results in a dramatic increase of attack surface area of an operating system
+<!--
 TODO: include image describing traditional package building, by installing
 _every_ dependency in a single OS, with a comparison of stagex only having mini
 Containerfiles with just what each project needs.
 -->
-StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
+<!-- Speaker notes
 Most Linux distributions are built for *compatibility* rather than *security*.
 This results in a dramatic increase of attack surface area of an operating
 system. StageX is designed to allow the creation of application specific
 environments with a minimal footprint to eliminate attack surface area. Each
 component of the toolchain installs only what it needs, and only packages what
 it builds, resulting in a decreased attack surface.
 -->
 ---
-# Rust "hello world"
+# A Rust Example
 ```dockerfile
-FROM stagex/busybox as build
+FROM scratch AS build
 COPY --from=stagex/busybox . /
 COPY --from=stagex/rust . /
 COPY --from=stagex/musl . /
 COPY --from=stagex/gcc . /
 COPY --from=stagex/llvm . /
 COPY --from=stagex/binutils . /
 COPY --from=stagex/libunwind . /
-RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
+ADD <<EOF hello.rs
 fn main() {
    println!("Hello, world!");
 }
 EOF
 RUN rustc hello.rs
 FROM scratch
-COPY --from=build /home/user/hello .
+COPY --from=build ./hello .
 CMD ["./hello"]
 ```
 ---
-# **Reproducible and multi-signed**
+<!-- Speaker notes
-
+In this example, note how we are only pulling in Rust and the dependencies
-All packages provided by StageX are built deterministically
+required to invoke Rust. We don't include anything extra, which reduces the
-
+attack surface when compiling software.
-All packages are reproduced by multiple developers to ensure their integrity
+-->
 All packages are signed by well-known PGP keys after being successfully reproduced
 ---
-# **OCI images**
+# All packages in StageX are:
-StageX uses an open standard for images in order to allow the use of different container runtimes
+* Built using hash-locked sources
 * Confirmed reproducible by multiple developers
 * Signed by multiple release maintainers
-OCI images makes StageX portable and easy to reproduce on all AMD based systems
+<!-- Speaker notes
 To ensure StageX remains a secure toolchain, there's some additional
 maintenance that is performed compared to most distributions. This includes:
-The only available target at the moment is AMD.
+* Built using hash-locked sources. This ensures every developer gets the exact
  same copy of the code for each container, so no middleman could inject
  malware, which helps with:
 * Reproducing projects, ensuring they're built deterministically. This confirms
  that no single developer, nor their machine, have been compromised. Once each
  package is confirmed, they are...
 * Signed by the release maintainers. These maintainers each build a copy of the
  package locally and sign the containers with an OCI-compliant signature using
  well-known OpenPGP keys.
 -->
 <!-- TODO: talk about bootstrapping, incl. corrupt compilers in distro
 toolchain -->
 <!-- https://distrowatch.com/images/other/distro-family-tree.png -->
 <!-- TODO: libfakerand to act as the "why" -->
 ---
-# **Common open source software**
+# OCI Images
-StageX supports 100+ packages, with a focus on supporting software commonly used by developers
+<!--
  Put some kind of graphic here to explain the association between images
  and multisig
 -->
-Some of the currently available packages include: `curl`, `rust`, `git`, `go`, `bash`, `tofu`...
+<!--
 StageX uses the Open Container Initiative standard for images to support the
 use of multiple container runtimes. Because OCI images can be signed using
 OpenPGP keys, this allows the association of built images to signatures, which
 can enable developers to build their software using StageX, without having to
 build the entire StageX toolchain for themselves.
 -->
 ---
 # Common toolchain dependencies
 StageX comes with developer-loved tooling and languages, such as:
 * `rust`
 * `go`
 * `python`
 * `curl`
 * `git`
 <!-- TODO: Add end-user software like tofu, stagex, ocismack, kubectl, etc. -->
 If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
 ---
 # Pallets
 StageX offers prebuilt containers including all the packages necessary to run
 some of our most used software, such as:
 * `kubectl`, `kustomize`, `helm`
 * `keyfork`
 * `nginx`
 * `redis`
 * `postgres`
 ---
 # **Full source bootstrapped from Stage 0**
 The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic