4.6 KiB
| _class | paginate | backgroundColor |
|---|---|---|
| lead | true |
Anton Livaja
Co-Founder & Security Engineer at Distrust (https://distrust.co)
-
Firm specializing in high assurance security consulting and engineering.
-
Clients: blockchain labs and companies, fin-tech, hedge funds, exchanges, electrical grid operators, healthcare providers, etc.
Trends in Supply Chain Security
"[Supply chain threats increased by 1300% between 2020 and 2023]"
- 2025 Software Supply Chain Security Report by ReversingLabs.
Linux Usage Statistics
-
70%+ servers run Linux
-
~5% desktop / laptop users use Linux
-
~12 widely used Linux distributions
Open Source vs Proprietary
-
High risk environments require verifiability
-
Proprietary software = security through obscurity
What is a "Linux Distribution"
-
Linux kernel
-
Software "packages"
-
Package manager
-
But they are not all equal...
Linux Distribution Security
-
What machine are packages built on?
-
Who maintains your Linux packages?
-
How are the packages delivered?
Anatomy of a Package
-
Mainainer creates a "package"
-
The package is reviewed
-
A centralized server builds the binary and signs it
Underutilized Strategies
-
Reproducible / deterministic builds
-
Full source bootstrapping
-
Cryptographic signing
Reproducibility / Determinism
How Deep Do We Have to Go?
-
Compiler
-
Build and Runtime Environment
-
Operating System + Packages
-
Additional CLI / Tools
-
-
Software Application
-
First Party Code
-
Third Party Code
-
Full Source Bootstrapping
Who Compiles the Compiler?
-
Mostly downloaded as a binary
-
Even if the compiler is built from source, usually another compiler is used to do so
-
This means there is no clear providence to how we went from nothing to having a usable compiler
Bootstrapping Compilers
-
Consists of "stages", and hundreds of steps of starting from a human auditable rudimentary compiler and building up all the way up to a modern compiler
-
Bootstrapping programming languages
Cryptographic Signing
-
Code signing
-
Artifact signing
-
Multi-person signing
[Stageˣ]
Open source Linux Distribution
- Minimal, bootstrapped, hermetic, and deterministic
Full source bootstrapped from Stage 0
From a <190 byte compiler written in machine code, StageX bootstraps all the compiler tools necessary to build the distribution, 100% deterministically.
- Stage 0: Getting a basic C compiler on x86 from hex0
- Stage 1: Building GCC for x86
- Stage 2: Upgrading GCC for x86_64
- Stage 3: Building up-to-date toolchains
- Stage X: Shipping the software you know and love
A Rust Example
FROM stagex/pallet-rust@sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c AS build
ADD . /src
WORKDIR /src
ARG TARGET x86_64-unknown-linux-musl
RUN cargo build --release --target ${TARGET}
FROM scratch
COPY --from=build /app/target/${TARGET}/release/hello /usr/bin/hello
CMD ["/usr/bin/hello"]
All packages in StageX are:
-
Built using hash-locked sources
-
Confirmed reproducible by multiple developers
-
Signed by multiple release maintainers
Pallets
StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as:
rustgonodejsnginxredispostgres
QubesOS
Key Takeaways
-
Full-source bootstrap
-
Use bit for bit determinism
-
Leverage cryptographic signing
What's Next?
-
Adding SBOM
-
Packaging more software
-
Fully automating software updates
-
Additional container runtimes like Podman and Kaniko
-
Additional chip architecture support such as ARM and RISC-V
How You Can Help
-
Provide feedback
-
Support with development efforts
-
Become a sponsor
Links
Email: anton@distrust.co / sales@distrust.co
Matrix Chat: #stagex:matrix.org
Docker Hub: https://hub.docker.com/u/stagex
Git Repo: https://codeberg.org/stagex/stagex
AirgapOS: https://git.distrust.co/public/airgap
EnclaveOS: https://git.distrust.co/public/enclaveos