add initial readme
This commit is contained in:
parent
89b89b7c0b
commit
7849863bab
|
@ -0,0 +1,115 @@
|
|||
# ImgRep
|
||||
|
||||
Repository of reproducible builds anchored to reputation anchored signatures.
|
||||
|
||||
## About
|
||||
|
||||
We have learned a lot of lessons about supply chain integrity over the years,
|
||||
and the greatest of them may be that any system that is complex to review and
|
||||
assigns trust of significant components to single human points of failure, is
|
||||
doomed to have failure.
|
||||
|
||||
Most linux distributions rely on complex package management systems for which
|
||||
only a single implementation exists. They assign package signing privileges to
|
||||
individual maintainers at best. Modern popular distros often fail to even do
|
||||
this, having a central machine somewhere blindly signing all unsigned
|
||||
contributions from the public.
|
||||
|
||||
We will cover an exhaustive comparison of the supply chain strategies of other
|
||||
linux distros elsewhere, but suffice to say while many are pursuing
|
||||
reproducible builds, minimalism, or signing... any one distro delivering on all
|
||||
of these does not seem in the cards any time soon.
|
||||
|
||||
This is generally a human problem. Most distros end up generating a lot of
|
||||
custom tooling for package management, which in turn rapidly grows in
|
||||
complexity to meet demands ranging from hobby desktop systems production
|
||||
servers.
|
||||
|
||||
This complexity demands a lot of cycles to maintain, and this means in practice
|
||||
lowering the barrier to entry to allow any hobbyist to contribute and maintain
|
||||
packages with minimal friction and rarely a requirement of signing keys or
|
||||
mandatory reproducible builds, let alone multiple signed reproduction proofs.
|
||||
|
||||
Suffice to say, we feel every current Linux distribution has single points of
|
||||
human failure, or review complexity, that makes it undesirable for threat
|
||||
models that assume any single human can be hacked or coerced.
|
||||
|
||||
## Building
|
||||
|
||||
### Requirements
|
||||
|
||||
* An OCI building runtime
|
||||
* Currently Docker supported, but will support buildah and podman
|
||||
* Gnu Make
|
||||
|
||||
## Compile all packages
|
||||
|
||||
```
|
||||
make
|
||||
```
|
||||
|
||||
## Compile specific package
|
||||
|
||||
```
|
||||
make out/rust.tgz
|
||||
```
|
||||
|
||||
## Reproduce all changed packages
|
||||
|
||||
```
|
||||
make reproduce
|
||||
```
|
||||
|
||||
## Reproduce all packages without cache
|
||||
|
||||
```
|
||||
make clean reproduce
|
||||
```
|
||||
|
||||
## Sign current manifest of package hashes
|
||||
|
||||
```
|
||||
make sign
|
||||
```
|
||||
|
||||
## Goals
|
||||
|
||||
Not all of these goals are realized yet, but should at least help you decide
|
||||
if this project is something you want to contribute to or keep an eye on for
|
||||
the future.
|
||||
|
||||
### Integrity
|
||||
|
||||
* Anyone can reproduce the entire tree with tools from their current distro
|
||||
* Hosted CI servers auto-sign confirmed deterministic builds
|
||||
* Like NixOS
|
||||
* Maintainers sign all package additions/changes
|
||||
* Like Gentoo, Debian, Fedora, Guix
|
||||
* Reviewers locally build and counter-sign all new binary packages
|
||||
* No one does this, as far as we can tell.
|
||||
|
||||
### Reproducibility
|
||||
|
||||
* Trust no single external source of binaries
|
||||
* Bootstrap from two different third party signed distros
|
||||
* Never use external binaries
|
||||
* Bootstrap from 0, always, even if it means going back in time
|
||||
* Go, rust require extensive work to bootstrap all the way back to gcc
|
||||
* Guix is the only distro that does this for rust to our knowledge
|
||||
* Full-Source Bootstrap from x86_64 assembly
|
||||
* Take maximum advantage of the hard won wins by the Guix team
|
||||
* Bootstrap from guile driver reproduced on multiple signed distros
|
||||
|
||||
### Minimalism
|
||||
|
||||
* Based on musl libc
|
||||
* Basis of successful minimal distros like Alpine, Adelie, Talos, Void
|
||||
* Implemented with about 1/4 the code of glibc
|
||||
* Required to produce portable static binaries in some languages
|
||||
* Less prone to buffer overflows
|
||||
* Puts being light, fast, and correct before compatibility
|
||||
* Package using tools you already have
|
||||
* OCI build tool of choice (Docker, Buildah, Podman)
|
||||
* Make (for dependency management)
|
||||
* Prove hashes of bootstrap layer builds match before proceeding
|
||||
* Keep package definitions lean and readable with simple CLI and no magic
|
Reference in New Issue