name change, sponsorship, and various readme updates
This commit is contained in:
parent
48726ae4f2
commit
03a1fa3761
111
README.md
111
README.md
|
@ -1,9 +1,12 @@
|
|||
# ImgRep
|
||||
# Packages
|
||||
|
||||
Repository of reproducibly built images of common open source Linux toolchains
|
||||
and software with reputation anchored signatures.
|
||||
Minimalism and security first repository of OCI images of common open source
|
||||
software packages built from source.
|
||||
|
||||
## About
|
||||
These can be used as a secure supply chain for anything from obtaining local
|
||||
tools, to bootstrapping a Linux distribution.
|
||||
|
||||
## Background
|
||||
|
||||
We have learned a lot of lessons about supply chain integrity over the years,
|
||||
and the greatest of them may be that any system that is complex to review and
|
||||
|
@ -17,11 +20,11 @@ this, having a central machine somewhere blindly signing all unsigned
|
|||
contributions from the public.
|
||||
|
||||
We will cover an exhaustive comparison of the supply chain strategies of other
|
||||
linux distros elsewhere, but suffice to say while many are pursuing
|
||||
reproducible builds, minimalism, or signing... any one distro delivering on all
|
||||
of these does not seem in the cards any time soon.
|
||||
package management solutions elsewhere, but suffice to say while many are
|
||||
pursuing reproducible builds, minimalism, or signing... any one solution
|
||||
delivering on all of these does not seem in the cards any time soon.
|
||||
|
||||
This is generally a human problem. Most distros end up generating a lot of
|
||||
This is generally a human problem. Most solutions end up generating a lot of
|
||||
custom tooling for package management, which in turn rapidly grows in
|
||||
complexity to meet demands ranging from hobby desktop systems production
|
||||
servers.
|
||||
|
@ -31,49 +34,10 @@ lowering the barrier to entry to allow any hobbyist to contribute and maintain
|
|||
packages with minimal friction and rarely a requirement of signing keys or
|
||||
mandatory reproducible builds, let alone multiple signed reproduction proofs.
|
||||
|
||||
Suffice to say, we feel every current Linux distribution has single points of
|
||||
human failure, or review complexity, that makes it undesirable for threat
|
||||
models that assume any single human can be hacked or coerced.
|
||||
|
||||
## Building
|
||||
|
||||
### Requirements
|
||||
|
||||
* An OCI building runtime
|
||||
* Currently Docker supported, but will support buildah and podman
|
||||
* Gnu Make
|
||||
|
||||
### Examples
|
||||
|
||||
#### Compile all packages
|
||||
|
||||
```
|
||||
make
|
||||
```
|
||||
|
||||
#### Compile specific package
|
||||
|
||||
```
|
||||
make out/rust.tgz
|
||||
```
|
||||
|
||||
#### Reproduce all changed packages
|
||||
|
||||
```
|
||||
make reproduce
|
||||
```
|
||||
|
||||
#### Reproduce all packages without cache
|
||||
|
||||
```
|
||||
make clean reproduce
|
||||
```
|
||||
|
||||
#### Sign current manifest of package hashes
|
||||
|
||||
```
|
||||
make sign
|
||||
```
|
||||
Suffice to say, we feel every current Linux package management solution and
|
||||
container supply chain has single points of human failure, or review
|
||||
complexity, that makes it undesirable for threat models that assume any single
|
||||
human can be hacked or coerced.
|
||||
|
||||
## Goals
|
||||
|
||||
|
@ -116,3 +80,48 @@ the future.
|
|||
* Make (for dependency management)
|
||||
* Prove hashes of bootstrap layer builds match before proceeding
|
||||
* Keep package definitions lean and readable with simple CLI and no magic
|
||||
|
||||
## Building
|
||||
|
||||
### Requirements
|
||||
|
||||
* An OCI building runtime
|
||||
* Currently Docker supported, but will support buildah and podman
|
||||
* Gnu Make
|
||||
|
||||
### Examples
|
||||
|
||||
#### Compile all packages
|
||||
|
||||
```
|
||||
make
|
||||
```
|
||||
|
||||
#### Compile specific package
|
||||
|
||||
```
|
||||
make out/rust.tgz
|
||||
```
|
||||
|
||||
#### Reproduce all changed packages
|
||||
|
||||
```
|
||||
make reproduce
|
||||
```
|
||||
|
||||
#### Reproduce all packages without cache
|
||||
|
||||
```
|
||||
make clean reproduce
|
||||
```
|
||||
|
||||
#### Sign current manifest of package hashes
|
||||
|
||||
```
|
||||
make sign
|
||||
```
|
||||
|
||||
## Sponsors
|
||||
|
||||
- Turnkey
|
||||
- Mysten Labs
|
||||
|
|
Reference in New Issue