--- _class: lead paginate: true backgroundColor: #fff --- ![bg left:40% 80%](img/stagex-logo.png) # Bootstrapping Reproducibility with StageX The steps involved in going from a 256 byte compiler to a deterministic bit-for-bit reproducible Linux distribution. --- # The Problem: Is Your Toolchain Secure? ```dockerfile FROM stagex/openssl COPY --from=stagex/musl . / ENTRYPOINT ["/usr/bin/openssl"] CMD ["rand", "-hex", "12"] ```
```sh docker build -t stagex/openssl -f stagex-openssl.Containerfile . docker run stagex/openssl # Output: 2a2a2a2a2a2a2a2a2a2a2a2a ```
![width: auto](img/demo-auto.gif)
--- # Minimalism and security first Linux distribution Approach the development of a secure toolchain by ensuring each component uses exactly what it needs to build - no more, no less.
| Distribution | Signatures | Libc | Bootstrapped | Reproducible | Rust deps | |--------------|------------|-------|--------------|--------------|----------:| | Stagex | 2+ Human | Musl | Yes | Yes | 4 | | Debian | 1 Human | Glibc | No | Partial | 231 | | Arch | 1 Human | Glibc | No | Partial | 127 | | Fedora | 1 Bot | Glibc | No | No | 167 | | Alpine | None | Musl | No | No | 41 | --- # A Rust Example ```dockerfile FROM scratch AS fetch ADD . /app WORKDIR /app FROM stagex/pallet-rust AS build COPY --from=fetch . / COPY --from=stagex/nettle . / COPY --from=stagex/gmp . / ENV TARGET=x86_64-unknown-linux-musl RUN cargo build --release --target $TARGET FROM stagex/filesystem AS package COPY --from=build /app/target/$TARGET/release/hello /usr/bin/hello CMD ["/usr/bin/hello"] ``` --- # All packages in StageX are: * Built using hash-locked sources * Confirmed reproducible by multiple developers * Signed by multiple release maintainers ![bg right:35% 80%](https://mermaid.ink/svg/pako:eNptUstugzAQ_BVrzyQU0-ZBpR7S9lhVKr2FHIy9gCuDkbFTRYh_ryFVgtL6YO_OjHdk7_bAtUBIoFD6m1fMWPK5yxri185JJaL9dBzIYvFEPrA1WjiO0f4SHmZi-q-Y_hFf60zKVJZNtB_3W55eeDrnpwu_JgpZh1eYzmEIoEZTMyn8A_tRlIGtsMYMEh8qWVY2g2BGPKfpmVsqlqMihTboq77nX8gt6Yk-ohl_KiFH2clc4SMZMsiawVsxZ3V6ajgk1jgMwGhXVpAUTHU-c61gFl8kKw2rb9BXIa02F1BpJtCnPdhTO_amlJ31Blw3hSxH3Bnl4cratkvCcKSXpbSVy5dc12EnxdjI6rhdhSu62jAa42ods4c4FjyPtpuC3keFWN9FlMEwBICT_9t5EKZ5GH4Asmmvxw) --- # Multi-Signed OCI Images Multiple maintainers can each sign individual images, with the container runtime enforcing _multiple_ signatures by maintainers to ensure no individual maintainer could have tampered with an image. [![](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw)](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw) --- # Common toolchain dependencies StageX comes with developer-loved tooling and languages, such as: - `rust` - `go` - `python` - `curl` - `git` If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added. --- # Pallets StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as: - `kubectl`, `kustomize`, `helm` - `keyfork` - `nginx` - `redis` - `postgres` We also ship pallets for building new images, such as the Rust pallet shown in the previous example. --- # Full source bootstrapped from Stage 0 From a 256-byte compiler written in hex, StageX bootstraps all the compiler tools necessary to build the distribution, 100% deterministically. - Stage 0: Getting a basic C compiler on x86 - Stage 1: Building GCC for x86 - Stage 2: Upgrading GCC for x86_64 - Stage 3: Building up-to-date toolchains - Stage X: Shipping the software you know and love --- # OK, So What? By using stagex, an entire family of supply chain vulnerabilities can be eliminated. Removing unnecessary software reduces the attack surface of potentially malicious software, while deterministic builds help ensure software hasn't been tampered with. Because StageX can be used to build standalone Linux systems, it can also be used to generate bootable images without needing to ship unnecessary tooling such as a package manager or a compiler. --- # _Solar Winds_ of Change According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ > - SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product. > - SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code. > - Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence. --- # Key Takeaways * StageX packages the software you're already using, securely. * By leveraging Docker, we avoid mixing package managers and build contexts. * Your software, at every point in the bootstrapped toolchain, can all be built deterministically. --- # What's Next? Packaging more software and updating existing software faster Adding additional container runtimes like Podman and Kaniko Adding additional chip architecture support such as ARM and RISC-V --- # Links **Matrix Chat**: #stagex:matrix.org **Git Repo**: https://codeberg.org/stagex/stagex Big thank you to sponsors who have supported the development of this project: **Turnkey, Distrust, Mysten Labs**