name change, sponsorship, and various readme updates
This commit is contained in:
parent
48726ae4f2
commit
03a1fa3761
111
README.md
111
README.md
|
@ -1,9 +1,12 @@
|
||||||
# ImgRep
|
# Packages
|
||||||
|
|
||||||
Repository of reproducibly built images of common open source Linux toolchains
|
Minimalism and security first repository of OCI images of common open source
|
||||||
and software with reputation anchored signatures.
|
software packages built from source.
|
||||||
|
|
||||||
## About
|
These can be used as a secure supply chain for anything from obtaining local
|
||||||
|
tools, to bootstrapping a Linux distribution.
|
||||||
|
|
||||||
|
## Background
|
||||||
|
|
||||||
We have learned a lot of lessons about supply chain integrity over the years,
|
We have learned a lot of lessons about supply chain integrity over the years,
|
||||||
and the greatest of them may be that any system that is complex to review and
|
and the greatest of them may be that any system that is complex to review and
|
||||||
|
@ -17,11 +20,11 @@ this, having a central machine somewhere blindly signing all unsigned
|
||||||
contributions from the public.
|
contributions from the public.
|
||||||
|
|
||||||
We will cover an exhaustive comparison of the supply chain strategies of other
|
We will cover an exhaustive comparison of the supply chain strategies of other
|
||||||
linux distros elsewhere, but suffice to say while many are pursuing
|
package management solutions elsewhere, but suffice to say while many are
|
||||||
reproducible builds, minimalism, or signing... any one distro delivering on all
|
pursuing reproducible builds, minimalism, or signing... any one solution
|
||||||
of these does not seem in the cards any time soon.
|
delivering on all of these does not seem in the cards any time soon.
|
||||||
|
|
||||||
This is generally a human problem. Most distros end up generating a lot of
|
This is generally a human problem. Most solutions end up generating a lot of
|
||||||
custom tooling for package management, which in turn rapidly grows in
|
custom tooling for package management, which in turn rapidly grows in
|
||||||
complexity to meet demands ranging from hobby desktop systems production
|
complexity to meet demands ranging from hobby desktop systems production
|
||||||
servers.
|
servers.
|
||||||
|
@ -31,49 +34,10 @@ lowering the barrier to entry to allow any hobbyist to contribute and maintain
|
||||||
packages with minimal friction and rarely a requirement of signing keys or
|
packages with minimal friction and rarely a requirement of signing keys or
|
||||||
mandatory reproducible builds, let alone multiple signed reproduction proofs.
|
mandatory reproducible builds, let alone multiple signed reproduction proofs.
|
||||||
|
|
||||||
Suffice to say, we feel every current Linux distribution has single points of
|
Suffice to say, we feel every current Linux package management solution and
|
||||||
human failure, or review complexity, that makes it undesirable for threat
|
container supply chain has single points of human failure, or review
|
||||||
models that assume any single human can be hacked or coerced.
|
complexity, that makes it undesirable for threat models that assume any single
|
||||||
|
human can be hacked or coerced.
|
||||||
## Building
|
|
||||||
|
|
||||||
### Requirements
|
|
||||||
|
|
||||||
* An OCI building runtime
|
|
||||||
* Currently Docker supported, but will support buildah and podman
|
|
||||||
* Gnu Make
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
#### Compile all packages
|
|
||||||
|
|
||||||
```
|
|
||||||
make
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Compile specific package
|
|
||||||
|
|
||||||
```
|
|
||||||
make out/rust.tgz
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Reproduce all changed packages
|
|
||||||
|
|
||||||
```
|
|
||||||
make reproduce
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Reproduce all packages without cache
|
|
||||||
|
|
||||||
```
|
|
||||||
make clean reproduce
|
|
||||||
```
|
|
||||||
|
|
||||||
#### Sign current manifest of package hashes
|
|
||||||
|
|
||||||
```
|
|
||||||
make sign
|
|
||||||
```
|
|
||||||
|
|
||||||
## Goals
|
## Goals
|
||||||
|
|
||||||
|
@ -116,3 +80,48 @@ the future.
|
||||||
* Make (for dependency management)
|
* Make (for dependency management)
|
||||||
* Prove hashes of bootstrap layer builds match before proceeding
|
* Prove hashes of bootstrap layer builds match before proceeding
|
||||||
* Keep package definitions lean and readable with simple CLI and no magic
|
* Keep package definitions lean and readable with simple CLI and no magic
|
||||||
|
|
||||||
|
## Building
|
||||||
|
|
||||||
|
### Requirements
|
||||||
|
|
||||||
|
* An OCI building runtime
|
||||||
|
* Currently Docker supported, but will support buildah and podman
|
||||||
|
* Gnu Make
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
#### Compile all packages
|
||||||
|
|
||||||
|
```
|
||||||
|
make
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Compile specific package
|
||||||
|
|
||||||
|
```
|
||||||
|
make out/rust.tgz
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Reproduce all changed packages
|
||||||
|
|
||||||
|
```
|
||||||
|
make reproduce
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Reproduce all packages without cache
|
||||||
|
|
||||||
|
```
|
||||||
|
make clean reproduce
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Sign current manifest of package hashes
|
||||||
|
|
||||||
|
```
|
||||||
|
make sign
|
||||||
|
```
|
||||||
|
|
||||||
|
## Sponsors
|
||||||
|
|
||||||
|
- Turnkey
|
||||||
|
- Mysten Labs
|
||||||
|
|
Reference in New Issue