public
/
presentations
5
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

stagex: rewrite a good chunk

This commit is contained in:
Ryan Heywood 2024-08-20 18:58:04 -04:00
parent d2d26433a9
commit beea47e1f6
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
1 changed files with 104 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
stagex/stagex.md
View File

@ -1,72 +1,151 @@
---
theme: gaia
_class: lead
paginate: true
backgroundColor: #fff
---
<!-- __ -->
![bg left:40% 80%](img/stagex-logo.png)
Minimalism and security first repository of reproducible and multi-signed OCI images of common open source software toolchains full-source bootstrapped from Stage 0 all the way up.
# Bootstrapping Reproducibility with StageX
<!--
Minimalism and security first repository of reproducible and multi-signed OCI
images of common open source software toolchains full-source bootstrapped from
Stage 0 to the compiler and libraries you'll use.
-->
---
# **Minimalism and security first repository**
# Minimalism and security first repository
Most Linux distributions are built for **compatibility** rather than **security**
Approach the distribution of a toolchain by ensuring each component uses
exactly what it needs to build - no more, no less.
This results in a dramatic increase of attack surface area of an operating system
<!--
TODO: include image describing traditional package building, by installing
_every_ dependency in a single OS, with a comparison of stagex only having mini
Containerfiles with just what each project needs.
-->
StageX is designed to allow the creation of application specific environments with a minimal footprint to eliminate attack surface area.
<!-- Speaker notes
Most Linux distributions are built for *compatibility* rather than *security*.
This results in a dramatic increase of attack surface area of an operating
system. StageX is designed to allow the creation of application specific
environments with a minimal footprint to eliminate attack surface area. Each
component of the toolchain installs only what it needs, and only packages what
it builds, resulting in a decreased attack surface.
-->
---
# Rust "hello world"
# A Rust Example
```dockerfile
FROM stagex/busybox as build
FROM scratch AS build
COPY --from=stagex/busybox . /
COPY --from=stagex/rust . /
COPY --from=stagex/musl . /
COPY --from=stagex/gcc . /
COPY --from=stagex/llvm . /
COPY --from=stagex/binutils . /
COPY --from=stagex/libunwind . /
RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
ADD <<EOF hello.rs
fn main() {
println!("Hello, world!");
}
EOF
RUN rustc hello.rs
FROM scratch
COPY --from=build /home/user/hello .
COPY --from=build ./hello .
CMD ["./hello"]
```
---
# **Reproducible and multi-signed**
All packages provided by StageX are built deterministically
All packages are reproduced by multiple developers to ensure their integrity
All packages are signed by well-known PGP keys after being successfully reproduced
<!-- Speaker notes
In this example, note how we are only pulling in Rust and the dependencies
required to invoke Rust. We don't include anything extra, which reduces the
attack surface when compiling software.
-->
---
# **OCI images**
# All packages in StageX are:
StageX uses an open standard for images in order to allow the use of different container runtimes
* Built using hash-locked sources
* Confirmed reproducible by multiple developers
* Signed by multiple release maintainers
OCI images makes StageX portable and easy to reproduce on all AMD based systems
<!-- Speaker notes
To ensure StageX remains a secure toolchain, there's some additional
maintenance that is performed compared to most distributions. This includes:
The only available target at the moment is AMD.
* Built using hash-locked sources. This ensures every developer gets the exact
same copy of the code for each container, so no middleman could inject
malware, which helps with:
* Reproducing projects, ensuring they're built deterministically. This confirms
that no single developer, nor their machine, have been compromised. Once each
package is confirmed, they are...
* Signed by the release maintainers. These maintainers each build a copy of the
package locally and sign the containers with an OCI-compliant signature using
well-known OpenPGP keys.
-->
<!-- TODO: talk about bootstrapping, incl. corrupt compilers in distro
toolchain -->
<!-- https://distrowatch.com/images/other/distro-family-tree.png -->
<!-- TODO: libfakerand to act as the "why" -->
---
# **Common open source software**
# OCI Images
StageX supports 100+ packages, with a focus on supporting software commonly used by developers
<!--
Put some kind of graphic here to explain the association between images
and multisig
-->
Some of the currently available packages include: `curl`, `rust`, `git`, `go`, `bash`, `tofu`...
<!--
StageX uses the Open Container Initiative standard for images to support the
use of multiple container runtimes. Because OCI images can be signed using
OpenPGP keys, this allows the association of built images to signatures, which
can enable developers to build their software using StageX, without having to
build the entire StageX toolchain for themselves.
-->
---
# Common toolchain dependencies
StageX comes with developer-loved tooling and languages, such as:
* `rust`
* `go`
* `python`
* `curl`
* `git`
<!-- TODO: Add end-user software like tofu, stagex, ocismack, kubectl, etc. -->
If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.
---
# Pallets
StageX offers prebuilt containers including all the packages necessary to run
some of our most used software, such as:
* `kubectl`, `kustomize`, `helm`
* `keyfork`
* `nginx`
* `redis`
* `postgres`
---
# **Full source bootstrapped from Stage 0**
The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic