public
/
stagex
Archived
5
0
Fork 0
Code Issues 1 Pull Requests 1 Packages Projects Releases Wiki Activity

more detail and examples in readme

This commit is contained in:
Lance Vick 2024-01-30 06:43:30 -08:00
parent 56dcd1b569
commit 17fd3c4002
Signed by: lrvick
GPG Key ID: 8E47A1EC35A1551D
1 changed files with 63 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
README.md
View File

@ -1,9 +1,68 @@
# Stage[x]
Minimalism and security first repository of reproducible and multi-signed OCI
images of common open source software packages full-source bootsrapped from
images of common open source software toolchains full-source bootsrapped from
Stage 0 all the way up.
If you want to build or deploy software on a foundation of minimalism and
determinism with reasonable security, stagex might be the foundation you are
looking for.
## Usage
You can do anything with these images you would with most any other musl based
containerized linux distro, only with high supply chain integrity and
determinism.
For a full list of images see the "src" directory.
### Examples
Get a shell in our x86_64 Stage3 bootstrap image:
```
docker run -it stagex/stage3
```
Run a Python hello world:
```
docker run -i stagex/python -c "print('hello world')"
```
Make a hello world OCI container image with Rust:
```
FROM stagex/busybox as build
COPY --from=stagex/rust . /
COPY --from=stagex/gcc . /
COPY --from=stagex/binutils . /
RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
RUN rustc hello.rs
FROM scratch
COPY --from=build /home/user/hello .
CMD ["./hello"]
```
### Package Management
Unlike most linux distros, stagex was built for determinism, minimalism, and
containers first, and thus has no concept of a traditional package manager.
In fact, stagex ships no first-party code at all. We just package things in the
most "stock" way possible with exceptions only to maintain determinism.
Every image is "from scratch" and contains an empty filesystem with the
installed package.
By default you always get the latest updates to dependencies on the fly, but
you retain the option for bit-for-bit reproducible builds by locking any given
dependency at a particular tag or image hash.
If you want an old version of rust with a recent version of Gcc to work around
some problem build, you can do that without resorting to low security \
"curl | bash" style solutions like rustup.
## Goals
We built to support very high risk threat models where trusting any single
system or maintainer in our software supply chain cannot be tolerated. That
said, we should also function as a drop-in replacement for musl-based linux
@ -13,11 +72,9 @@ Our aim is to provide a reasonably secure set of toolchains for every major
programming language to be the basis of your containers, build systems,
firmware, secure enclaves, or hosting infrastructure.
## Goals
Not all of these goals are realized yet, but should at least help you decide
if this project is something you want to contribute to or keep an eye on for
the future.
Not all of these goals are 100% realized yet, but should at least help you
decide if this project is something you want to contribute to or keep an eye on
for the future.
### Integrity