---
_class: lead
paginate: true
backgroundColor: #fff
---

<style>
  /* Changed in Marp 4.0.0. Re-center. */
    section.lead {
        display: flex;
    }

    div.two-columns {
        column-count: 2;
    }
</style>


![](img/logo-and-typemark.svg)

---

# Anton Livaja

Co-Founder & Security Engineer at Distrust (https://distrust.co)

* Firm specializing in high assurance security consulting and engineering.

* Clients: blockchain labs and companies, fin-tech, hedge funds, exchanges, 
electrical grid operators, healthcare providers, etc.

---

# Trends in Supply Chain Security

"[Supply chain threats increased by 1300% between 2020 and 2023]"

- 2025 Software Supply Chain Security Report by ReversingLabs. 

---

# Linux Usage Statistics

* 70%+ servers run Linux

* ~5% desktop / laptop users use Linux

* ~12 widely used Linux distributions

---

# Open Source vs Proprietary

* High risk environments require verifiability

* Proprietary software = security through obscurity 

---

# What is a "Linux Distribution"

* Linux kernel

* Software "packages"

* Package manager

* But they are not all equal...

---

# Linux Distribution Security 

* What machine are packages built on?

* Who maintains your Linux packages?

* How are the packages delivered?

---

# Anatomy of a Package

* Mainainer creates a "package"

* The package is reviewed

* A centralized server builds the binary and signs it

---

# Underutilized Strategies

* Reproducible / deterministic builds

* Full source bootstrapping

* Cryptographic signing

---

# Reproducibility / Determinism

---

![](img/SolarWinds-logo.png)

---

![no-tamper-evidence](https://antonlivaja.com/images/binary-exploit-2.png)

---

![height:600px](https://antonlivaja.com/images/expanded-3-hashes.png)

---

# How Deep Do We Have to Go?

* Compiler

* Build and Runtime Environment
  
  * Operating System + Packages
  
  * Additional CLI / Tools

* Software Application

  * First Party Code

  * Third Party Code

---

# Full Source Bootstrapping

---

![](img/xcodeghost.jpg)

---

# Who Compiles the Compiler?

* Mostly downloaded as a binary

* Even if the compiler is built from source, usually another compiler is used to do so

* This means there is no clear providence to how we went from nothing to having a usable compiler

---

# Bootstrapping Compilers

* Consists of "stages", and hundreds of steps of starting from a human auditable rudimentary compiler and building up all the way up to a modern compiler

* Bootstrapping programming languages

---

# Cryptographic Signing

* Code signing

* Artifact signing

* Multi-person signing

---

![](img/xzbackdoor.png)


---

# [Stageˣ]

Open source Linux Distribution

* Minimal, bootstrapped, hermetic, and deterministic 

---

![](img/stagex-chart-0.png)

---

![](img/stagex-chart-1.png)

---
# Full source bootstrapped from Stage 0

From a <190 byte compiler written in machine code, StageX bootstraps all the 
compiler tools necessary to build the distribution, 100% deterministically.

- Stage 0: Getting a basic C compiler on x86 from hex0
- Stage 1: Building GCC for x86
- Stage 2: Upgrading GCC for x86_64
- Stage 3: Building up-to-date toolchains
- Stage X: Shipping the software you know and love

---

# A Rust Example

```dockerfile
FROM stagex/pallet-rust@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c AS build
ADD . /src
WORKDIR /src
ARG TARGET x86_64-unknown-linux-musl
RUN cargo build --release --target ${TARGET}

FROM scratch
COPY --from=build /app/target/${TARGET}/release/hello /usr/bin/hello
CMD ["/usr/bin/hello"]
```

---

# All packages in StageX are:

* Built using hash-locked sources

* Confirmed reproducible by multiple developers

* Signed by multiple release maintainers

---

# Pallets

StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as:

- `rust`
- `go`
- `nodejs`
- `nginx`
- `redis`
- `postgres`

---

![](img/airgap-os.png)

---

# QubesOS

---

# Key Takeaways

* Full-source bootstrap

* Use bit for bit determinism

* Leverage cryptographic signing 

---

# What's Next?

* Adding SBOM

* Packaging more software

* Fully automating software updates

* Additional container runtimes like Podman and Kaniko

* Additional chip architecture support such as ARM and RISC-V

---

# How You Can Help

* Provide feedback

* Support with development efforts

* Become a sponsor

---

# Links

**Email**: anton@distrust.co / sales@distrust.co

**Matrix Chat**: #stagex:matrix.org

**Docker Hub**: https://hub.docker.com/u/stagex

**Git Repo**: https://codeberg.org/stagex/stagex

**AirgapOS**: https://git.distrust.co/public/airgap

**EnclaveOS**: https://git.distrust.co/public/enclaveos