--- _class: lead paginate: true backgroundColor: #fff --- ![bg left:40% 80%](img/stagex-logo.png) # Bootstrapping Reproducibility with StageX --- # Minimalism and security first repository Approach the distribution of a toolchain by ensuring each component uses exactly what it needs to build - no more, no less. --- # A Rust Example ```dockerfile FROM scratch AS build COPY --from=stagex/busybox . / COPY --from=stagex/rust . / COPY --from=stagex/musl . / COPY --from=stagex/gcc . / COPY --from=stagex/llvm . / COPY --from=stagex/binutils . / COPY --from=stagex/libunwind . / ADD < --- # All packages in StageX are: * Built using hash-locked sources * Confirmed reproducible by multiple developers * Signed by multiple release maintainers --- # OCI Images --- # Common toolchain dependencies StageX comes with developer-loved tooling and languages, such as: * `rust` * `go` * `python` * `curl` * `git` If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added. --- # Pallets StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as: * `kubectl`, `kustomize`, `helm` * `keyfork` * `nginx` * `redis` * `postgres` --- # **Full source bootstrapped from Stage 0** The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic Bootstrapped - built up from "nothing" in order to allow verification of how the compiler is built - ensuring there is no malicious code added to it at any point. Ken Thompson describes the risk of using a compiler which can't be verified to be trustworthy in his seminal paper "Reflections on Trusting Trust" --- # **OK, So What?** There is an entire family of supply chain vulnerabilities which can be eliminated by using StageX By reducing the number of dependencies needed to run and build software, we remove unnecessary software which can act as an entry point for malicious software such as malware For example, if using Debian as a base for `rust`, one ends up using **232 dependencies**, where as StageX only requires **4 dependencies** --- Additionally, there has not been a simple way to verify that a compiler is trusted. This is because compilers are used to build other compilers, and for a long time, we lost the ability to build up a compiler toolchain from "nothing" StageX allows us to bootstrap the compiler toolchain, making it easy to verify that no malicious code was introduced at any point, by reviewing the code, and it also does so in a deterministic manner, which makes it simple to further verify the integrity of the binary --- # Solar Winds According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ > * SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. > * SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. > * Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence. --- # **What's Next?** Packaging more software Adding additional container runtimes like Podman and Kaniko Adding additional chip architecture support such as ARM and RISC-V --- # **Links** **Presenter**: **Matrix Chat**: #stagex:matrix.org **Git Repo**: https://codeberg.org/stagex/stagex Big thank you to sponsors who have supported the development of this project: **Turnkey, Distrust, Mysten Labs**