public
/
presentations
5
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
presentations/stagex/stagex.md

5.7 KiB
Raw Blame History

_class paginate backgroundColor
lead true

bg left:40% 80%

Bootstrapping Reproducibility with StageX

Minimalism and security first repository

Approach the distribution of a toolchain by ensuring each component uses exactly what it needs to build - no more, no less.

A Rust Example

FROM scratch AS build
COPY --from=stagex/busybox . /
COPY --from=stagex/rust . /
COPY --from=stagex/musl . /
COPY --from=stagex/gcc . /
COPY --from=stagex/llvm . /
COPY --from=stagex/binutils . /
COPY --from=stagex/libunwind . /
ADD <<EOF hello.rs
fn main() {
    println!("Hello, world!");
}
EOF
RUN rustc hello.rs
FROM scratch
COPY --from=build ./hello .
CMD ["./hello"]

All packages in StageX are:

  • Built using hash-locked sources
  • Confirmed reproducible by multiple developers
  • Signed by multiple release maintainers

OCI Images

Common toolchain dependencies

StageX comes with developer-loved tooling and languages, such as:

  • rust
  • go
  • python
  • curl
  • git

If you are interested in additionally software being added feel free to open a PR or let us know what you would like to see added.

Pallets

StageX offers prebuilt containers including all the packages necessary to run some of our most used software, such as:

  • kubectl, kustomize, helm
  • keyfork
  • nginx
  • redis
  • postgres

Full source bootstrapped from Stage 0

The StageX compiler and all libraries necessary to build software are themselves fully bootstrapped and deterministic

Bootstrapped - built up from "nothing" in order to allow verification of how the compiler is built - ensuring there is no malicious code added to it at any point.

Ken Thompson describes the risk of using a compiler which can't be verified to be trustworthy in his seminal paper "Reflections on Trusting Trust"

OK, So What?

There is an entire family of supply chain vulnerabilities which can be eliminated by using StageX

By reducing the number of dependencies needed to run and build software, we remove unnecessary software which can act as an entry point for malicious software such as malware

For example, if using Debian as a base for rust, one ends up using 232 dependencies, where as StageX only requires 4 dependencies

Additionally, there has not been a simple way to verify that a compiler is trusted.

This is because compilers are used to build other compilers, and for a long time, we lost the ability to build up a compiler toolchain from "nothing"

StageX allows us to bootstrap the compiler toolchain, making it easy to verify that no malicious code was introduced at any point, by reviewing the code, and it also does so in a deterministic manner, which makes it simple to further verify the integrity of the binary

What's Next?

Packaging more software

Adding additional container runtimes like Podman and Kaniko

Adding additional chip architecture support such as ARM and RISC-V

Links

Presenter: <your_name>

Matrix Chat: #stagex:matrix.org

Git Repo: https://codeberg.org/stagex/stagex

Big thank you to sponsors who have supported the development of this project:

Turnkey, Distrust, Mysten Labs