name change, sponsorship, and various readme updates

2023-12-07 07:52:12 -08:00 · 2023-12-07 07:52:12 -08:00 · 03a1fa3761
parent 48726ae4f2
commit 03a1fa3761
1 changed files with 60 additions and 51 deletions
--- a/README.md
+++ b/README.md
@ -1,9 +1,12 @@
-# ImgRep
+# Packages
-Repository of reproducibly built images of common open source Linux toolchains
+Minimalism and security first repository of OCI images of common open source
-and software with reputation anchored signatures.
+software packages built from source.
-## About
+These can be used as a secure supply chain for anything from obtaining local
 tools, to bootstrapping a Linux distribution.
 ## Background
 We have learned a lot of lessons about supply chain integrity over the years,
 and the greatest of them may be that any system that is complex to review and
@ -17,11 +20,11 @@ this, having a central machine somewhere blindly signing all unsigned
 contributions from the public.
 We will cover an exhaustive comparison of the supply chain strategies of other
-linux distros elsewhere, but suffice to say while many are pursuing
+package management solutions elsewhere, but suffice to say while many are
-reproducible builds, minimalism, or signing... any one distro delivering on all
+pursuing reproducible builds, minimalism, or signing... any one solution
-of these does not seem in the cards any time soon.
+delivering on all of these does not seem in the cards any time soon.
-This is generally a human problem. Most distros end up generating a lot of
+This is generally a human problem. Most solutions end up generating a lot of
 custom tooling for package management, which in turn rapidly grows in
 complexity to meet demands ranging from hobby desktop systems production
 servers.
@ -31,49 +34,10 @@ lowering the barrier to entry to allow any hobbyist to contribute and maintain
 packages with minimal friction and rarely a requirement of signing keys or
 mandatory reproducible builds, let alone multiple signed reproduction proofs.
-Suffice to say, we feel every current Linux distribution has single points of
+Suffice to say, we feel every current Linux package management solution and
-human failure, or review complexity, that makes it undesirable for threat
+container supply chain has single points of human failure, or review
-models that assume any single human can be hacked or coerced.
+complexity, that makes it undesirable for threat models that assume any single
-
+human can be hacked or coerced.
 ## Building
 ### Requirements
 * An OCI building runtime
    * Currently Docker supported, but will support buildah and podman
 * Gnu Make
 ### Examples
 #### Compile all packages
 ```
 make
 ```
 #### Compile specific package
 ```
 make out/rust.tgz
 ```
 #### Reproduce all changed packages
 ```
 make reproduce
 ```
 #### Reproduce all packages without cache
 ```
 make clean reproduce
 ```
 #### Sign current manifest of package hashes
 ```
 make sign
 ```
 ## Goals
@ -116,3 +80,48 @@ the future.
    * Make (for dependency management)
    * Prove hashes of bootstrap layer builds match before proceeding
 * Keep package definitions lean and readable with simple CLI and no magic
 ## Building
 ### Requirements
 * An OCI building runtime
    * Currently Docker supported, but will support buildah and podman
 * Gnu Make
 ### Examples
 #### Compile all packages
 ```
 make
 ```
 #### Compile specific package
 ```
 make out/rust.tgz
 ```
 #### Reproduce all changed packages
 ```
 make reproduce
 ```
 #### Reproduce all packages without cache
 ```
 make clean reproduce
 ```
 #### Sign current manifest of package hashes
 ```
 make sign
 ```
 ## Sponsors
 - Turnkey
 - Mysten Labs