---
_class: lead
paginate: true
backgroundColor: #fff
---
![bg left:40% 80%](img/stagex-logo.png)
# Bootstrapping Reproducibility with StageX
The steps involved in going from a 256 byte compiler to a deterministic
bit-for-bit reproducible Linux distribution.
---
# The Problem: Is Your Toolchain Secure?
```dockerfile
FROM stagex/openssl
COPY --from=stagex/musl . /
ENTRYPOINT ["/usr/bin/openssl"]
CMD ["rand", "-hex", "12"]
```
```sh
docker build -t stagex/openssl -f stagex-openssl.Containerfile .
docker run stagex/openssl
# Output: 2a2a2a2a2a2a2a2a2a2a2a2a
```
![width: auto](img/demo-auto.gif)
---
# Minimalism and security first Linux distribution
Approach the development of a secure toolchain by ensuring each component uses
exactly what it needs to build - no more, no less.
| Distribution | Signatures | Libc | Bootstrapped | Reproducible | Rust deps |
|--------------|------------|-------|--------------|--------------|----------:|
| Stagex | 2+ Human | Musl | Yes | Yes | 4 |
| Debian | 1 Human | Glibc | No | Partial | 231 |
| Arch | 1 Human | Glibc | No | Partial | 127 |
| Fedora | 1 Bot | Glibc | No | No | 167 |
| Alpine | None | Musl | No | No | 41 |
---
# A Rust Example
```dockerfile
FROM scratch AS fetch
ADD . /app
WORKDIR /app
FROM stagex/pallet-rust AS build
COPY --from=fetch . /
COPY --from=stagex/nettle . /
COPY --from=stagex/gmp . /
ENV TARGET=x86_64-unknown-linux-musl
RUN cargo build --release --target $TARGET
FROM stagex/filesystem AS package
COPY --from=build /app/target/$TARGET/release/hello /usr/bin/hello
CMD ["/usr/bin/hello"]
```
---
# All packages in StageX are:
* Built using hash-locked sources
* Confirmed reproducible by multiple developers
* Signed by multiple release maintainers
![bg right:35% 80%](https://mermaid.ink/svg/pako:eNptUstugzAQ_BVrzyQU0-ZBpR7S9lhVKr2FHIy9gCuDkbFTRYh_ryFVgtL6YO_OjHdk7_bAtUBIoFD6m1fMWPK5yxri185JJaL9dBzIYvFEPrA1WjiO0f4SHmZi-q-Y_hFf60zKVJZNtB_3W55eeDrnpwu_JgpZh1eYzmEIoEZTMyn8A_tRlIGtsMYMEh8qWVY2g2BGPKfpmVsqlqMihTboq77nX8gt6Yk-ohl_KiFH2clc4SMZMsiawVsxZ3V6ajgk1jgMwGhXVpAUTHU-c61gFl8kKw2rb9BXIa02F1BpJtCnPdhTO_amlJ31Blw3hSxH3Bnl4cratkvCcKSXpbSVy5dc12EnxdjI6rhdhSu62jAa42ods4c4FjyPtpuC3keFWN9FlMEwBICT_9t5EKZ5GH4Asmmvxw)
---
# Multi-Signed OCI Images
Multiple maintainers can each sign individual images, with the container
runtime enforcing _multiple_ signatures by maintainers to ensure no individual
maintainer could have tampered with an image.
[![](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw)](https://mermaid.ink/svg/pako:eNpdklFrgzAQx79KuGdbV91s62DQpmNPZbDube4hJqdmRFNi7Cjid1-sa7EGAvn_f3c5LpcWuBYIMWRK__KCGUs-d0lF3NpvvvZMVtZtNGTzTWazF_Km_-F2DLcTSMeQTuBmkJReb5poOtFD_EdT27uEkUFvBnhQoimZFK6ltscJ2AJLTCB2RyXzwibgjQA9HAY2VyxFRTJtUObVe_qD3JKW6BOa_m1icpK1TBU-ky6BpOpcKdZYfThXHGJrGvTA6CYvIM6Yqp1qjoJZ3EmWG1ZeQwbzVUirzS1SaSbQyRbs-dgPI5eXVriuMpn3fmOUswtrj3Xs-z2e59IWTTrnuvRrKfrJFad15EdBtGJBiNEyZE9hKHi6WK-y4HGRieXDImDQdR7gpf5-mPzlA3R_HuyhBw)
---
# Common toolchain dependencies
StageX comes with developer-loved tooling and languages, such as:
- `rust`
- `go`
- `python`
- `curl`
- `git`
If you are interested in additionally software being added feel free to open a
PR or let us know what you would like to see added.
---
# Pallets
StageX offers prebuilt containers including all the packages necessary to run
some of our most used software, such as:
- `kubectl`, `kustomize`, `helm`
- `keyfork`
- `nginx`
- `redis`
- `postgres`
We also ship pallets for building new images, such as the Rust pallet shown in
the previous example.
---
# Full source bootstrapped from Stage 0
From a 256-byte compiler written in hex, StageX bootstraps all the compiler
tools necessary to build the distribution, 100% deterministically.
- Stage 0: Getting a basic C compiler on x86
- Stage 1: Building GCC for x86
- Stage 2: Upgrading GCC for x86_64
- Stage 3: Building up-to-date toolchains
- Stage X: Shipping the software you know and love
---
# OK, So What?
By using stagex, an entire family of supply chain vulnerabilities can be
eliminated. Removing unnecessary software reduces the attack surface of
potentially malicious software, while deterministic builds help ensure
software hasn't been tampered with.
Because StageX can be used to build standalone Linux systems, it can also be
used to generate bootable images without needing to ship unnecessary tooling
such as a package manager or a compiler.
---
# _Solar Winds_ of Change
According to: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
> - SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
> - SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
> - Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.
---
# Key Takeaways
* StageX packages the software you're already using, securely.
* By leveraging Docker, we avoid mixing package managers and build contexts.
* Your software, at every point in the bootstrapped toolchain, can all be built
deterministically.
---
# What's Next?
Packaging more software and updating existing software faster
Adding additional container runtimes like Podman and Kaniko
Adding additional chip architecture support such as ARM and RISC-V
---
# Links
**Matrix Chat**: #stagex:matrix.org
**Git Repo**: https://codeberg.org/stagex/stagex
Big thank you to sponsors who have supported the development of this project:
**Turnkey, Distrust, Mysten Labs**