diff --git a/README.md b/README.md new file mode 100644 index 0000000..6eab3fc --- /dev/null +++ b/README.md @@ -0,0 +1,115 @@ +# ImgRep + +Repository of reproducible builds anchored to reputation anchored signatures. + +## About + +We have learned a lot of lessons about supply chain integrity over the years, +and the greatest of them may be that any system that is complex to review and +assigns trust of significant components to single human points of failure, is +doomed to have failure. + +Most linux distributions rely on complex package management systems for which +only a single implementation exists. They assign package signing privileges to +individual maintainers at best. Modern popular distros often fail to even do +this, having a central machine somewhere blindly signing all unsigned +contributions from the public. + +We will cover an exhaustive comparison of the supply chain strategies of other +linux distros elsewhere, but suffice to say while many are pursuing +reproducible builds, minimalism, or signing... any one distro delivering on all +of these does not seem in the cards any time soon. + +This is generally a human problem. Most distros end up generating a lot of +custom tooling for package management, which in turn rapidly grows in +complexity to meet demands ranging from hobby desktop systems production +servers. + +This complexity demands a lot of cycles to maintain, and this means in practice +lowering the barrier to entry to allow any hobbyist to contribute and maintain +packages with minimal friction and rarely a requirement of signing keys or +mandatory reproducible builds, let alone multiple signed reproduction proofs. + +Suffice to say, we feel every current Linux distribution has single points of +human failure, or review complexity, that makes it undesirable for threat +models that assume any single human can be hacked or coerced. + +## Building + +### Requirements + +* An OCI building runtime + * Currently Docker supported, but will support buildah and podman +* Gnu Make + +## Compile all packages + +``` +make +``` + +## Compile specific package + +``` +make out/rust.tgz +``` + +## Reproduce all changed packages + +``` +make reproduce +``` + +## Reproduce all packages without cache + +``` +make clean reproduce +``` + +## Sign current manifest of package hashes + +``` +make sign +``` + +## Goals + +Not all of these goals are realized yet, but should at least help you decide +if this project is something you want to contribute to or keep an eye on for +the future. + +### Integrity + +* Anyone can reproduce the entire tree with tools from their current distro +* Hosted CI servers auto-sign confirmed deterministic builds + * Like NixOS +* Maintainers sign all package additions/changes + * Like Gentoo, Debian, Fedora, Guix +* Reviewers locally build and counter-sign all new binary packages + * No one does this, as far as we can tell. + +### Reproducibility + +* Trust no single external source of binaries + * Bootstrap from two different third party signed distros +* Never use external binaries + * Bootstrap from 0, always, even if it means going back in time + * Go, rust require extensive work to bootstrap all the way back to gcc + * Guix is the only distro that does this for rust to our knowledge +* Full-Source Bootstrap from x86_64 assembly + * Take maximum advantage of the hard won wins by the Guix team + * Bootstrap from guile driver reproduced on multiple signed distros + +### Minimalism + +* Based on musl libc + * Basis of successful minimal distros like Alpine, Adelie, Talos, Void + * Implemented with about 1/4 the code of glibc + * Required to produce portable static binaries in some languages + * Less prone to buffer overflows + * Puts being light, fast, and correct before compatibility +* Package using tools you already have + * OCI build tool of choice (Docker, Buildah, Podman) + * Make (for dependency management) + * Prove hashes of bootstrap layer builds match before proceeding +* Keep package definitions lean and readable with simple CLI and no magic