From 03a1fa376120e149701f6fec18d5dca5c7c7c5a9 Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Thu, 7 Dec 2023 07:52:12 -0800 Subject: [PATCH 1/2] name change, sponsorship, and various readme updates --- README.md | 111 +++++++++++++++++++++++++++++------------------------- 1 file changed, 60 insertions(+), 51 deletions(-) diff --git a/README.md b/README.md index 0c5cc6c..b11340a 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,12 @@ -# ImgRep +# Packages -Repository of reproducibly built images of common open source Linux toolchains -and software with reputation anchored signatures. +Minimalism and security first repository of OCI images of common open source +software packages built from source. -## About +These can be used as a secure supply chain for anything from obtaining local +tools, to bootstrapping a Linux distribution. + +## Background We have learned a lot of lessons about supply chain integrity over the years, and the greatest of them may be that any system that is complex to review and @@ -17,11 +20,11 @@ this, having a central machine somewhere blindly signing all unsigned contributions from the public. We will cover an exhaustive comparison of the supply chain strategies of other -linux distros elsewhere, but suffice to say while many are pursuing -reproducible builds, minimalism, or signing... any one distro delivering on all -of these does not seem in the cards any time soon. +package management solutions elsewhere, but suffice to say while many are +pursuing reproducible builds, minimalism, or signing... any one solution +delivering on all of these does not seem in the cards any time soon. -This is generally a human problem. Most distros end up generating a lot of +This is generally a human problem. Most solutions end up generating a lot of custom tooling for package management, which in turn rapidly grows in complexity to meet demands ranging from hobby desktop systems production servers. @@ -31,49 +34,10 @@ lowering the barrier to entry to allow any hobbyist to contribute and maintain packages with minimal friction and rarely a requirement of signing keys or mandatory reproducible builds, let alone multiple signed reproduction proofs. -Suffice to say, we feel every current Linux distribution has single points of -human failure, or review complexity, that makes it undesirable for threat -models that assume any single human can be hacked or coerced. - -## Building - -### Requirements - -* An OCI building runtime - * Currently Docker supported, but will support buildah and podman -* Gnu Make - -### Examples - -#### Compile all packages - -``` -make -``` - -#### Compile specific package - -``` -make out/rust.tgz -``` - -#### Reproduce all changed packages - -``` -make reproduce -``` - -#### Reproduce all packages without cache - -``` -make clean reproduce -``` - -#### Sign current manifest of package hashes - -``` -make sign -``` +Suffice to say, we feel every current Linux package management solution and +container supply chain has single points of human failure, or review +complexity, that makes it undesirable for threat models that assume any single +human can be hacked or coerced. ## Goals @@ -116,3 +80,48 @@ the future. * Make (for dependency management) * Prove hashes of bootstrap layer builds match before proceeding * Keep package definitions lean and readable with simple CLI and no magic + +## Building + +### Requirements + +* An OCI building runtime + * Currently Docker supported, but will support buildah and podman +* Gnu Make + +### Examples + +#### Compile all packages + +``` +make +``` + +#### Compile specific package + +``` +make out/rust.tgz +``` + +#### Reproduce all changed packages + +``` +make reproduce +``` + +#### Reproduce all packages without cache + +``` +make clean reproduce +``` + +#### Sign current manifest of package hashes + +``` +make sign +``` + +## Sponsors + +- Turnkey +- Mysten Labs From effb8babed08baf419d6f6628f16030435c35f9f Mon Sep 17 00:00:00 2001 From: "Lance R. Vick" Date: Thu, 7 Dec 2023 08:02:05 -0800 Subject: [PATCH 2/2] distrust rename --- Makefile | 70 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/Makefile b/Makefile index 0983214..6c6f5b0 100644 --- a/Makefile +++ b/Makefile @@ -1,40 +1,40 @@ export SOURCE_DATE_EPOCH = 0 out/bootstrap.oci.tgz: - docker build -t imgrep/bootstrap --output type=oci,dest=$@ bootstrap + docker build -t distrust/bootstrap --output type=oci,dest=$@ bootstrap out/musl.oci.tgz: \ out/bootstrap.oci.tgz - docker build -t imgrep/musl --output type=oci,dest=$@ musl + docker build -t distrust/musl --output type=oci,dest=$@ musl out/busybox.oci.tgz: \ out/bootstrap.oci.tgz - docker build -t imgrep/busybox --output type=oci,dest=$@ busybox + docker build -t distrust/busybox --output type=oci,dest=$@ busybox out/binutils.oci.tgz: \ out/bootstrap.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/binutils --output type=oci,dest=$@ binutils + docker build -t distrust/binutils --output type=oci,dest=$@ binutils out/linux-headers.oci.tgz: - docker build -t imgrep/linux-headers --output type=oci,dest=$@ linux-headers + docker build -t distrust/linux-headers --output type=oci,dest=$@ linux-headers out/gcc.oci.tgz: \ out/bootstrap.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/gcc --output type=oci,dest=$@ gcc + docker build -t distrust/gcc --output type=oci,dest=$@ gcc out/make.oci.tgz: \ out/bootstrap.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/make --output type=oci,dest=$@ make + docker build -t distrust/make --output type=oci,dest=$@ make out/ca-certificates.oci.tgz: - docker build -t imgrep/ca-certificates --output type=oci,dest=$@ ca-certificates + docker build -t distrust/ca-certificates --output type=oci,dest=$@ ca-certificates out/bash.oci.tgz: \ out/gcc.oci.tgz - docker build -t imgrep/bash --output type=oci,dest=$@ bash + docker build -t distrust/bash --output type=oci,dest=$@ bash out/m4.oci.tgz: \ out/busybox.oci.tgz \ @@ -42,7 +42,7 @@ out/m4.oci.tgz: \ out/binutils.oci.tgz \ out/musl.oci.tgz \ out/make.oci.tgz - docker build -t imgrep/m4 --output type=oci,dest=$@ m4 + docker build -t distrust/m4 --output type=oci,dest=$@ m4 out/autoconf.oci.tgz: \ out/busybox.oci.tgz \ @@ -52,7 +52,7 @@ out/autoconf.oci.tgz: \ out/make.oci.tgz \ out/perl.oci.tgz \ out/m4.oci.tgz - docker build -t imgrep/autoconf --output type=oci,dest=$@ autoconf + docker build -t distrust/autoconf --output type=oci,dest=$@ autoconf out/automake.oci.tgz: \ out/busybox.oci.tgz \ @@ -63,7 +63,7 @@ out/automake.oci.tgz: \ out/perl.oci.tgz \ out/autoconf.oci.tgz \ out/m4.oci.tgz - docker build -t imgrep/automake --output type=oci,dest=$@ automake + docker build -t distrust/automake --output type=oci,dest=$@ automake out/sed.oci.tgz: \ out/busybox.oci.tgz \ @@ -71,7 +71,7 @@ out/sed.oci.tgz: \ out/binutils.oci.tgz \ out/musl.oci.tgz \ out/make.oci.tgz - docker build -t imgrep/sed --output type=oci,dest=$@ sed + docker build -t distrust/sed --output type=oci,dest=$@ sed out/libtool.oci.tgz: \ out/busybox.oci.tgz \ @@ -82,7 +82,7 @@ out/libtool.oci.tgz: \ out/bash.oci.tgz \ out/sed.oci.tgz \ out/m4.oci.tgz - docker build -t imgrep/libtool --output type=oci,dest=$@ libtool + docker build -t distrust/libtool --output type=oci,dest=$@ libtool out/pkgconf.oci.tgz: \ out/busybox.oci.tgz \ @@ -91,7 +91,7 @@ out/pkgconf.oci.tgz: \ out/musl.oci.tgz \ out/make.oci.tgz \ out/libtool.oci.tgz - docker build -t imgrep/pkgconf --output type=oci,dest=$@ pkgconf + docker build -t distrust/pkgconf --output type=oci,dest=$@ pkgconf out/libxml2.oci.tgz: \ out/busybox.oci.tgz \ @@ -107,7 +107,7 @@ out/libxml2.oci.tgz: \ out/automake.oci.tgz \ out/pkgconf.oci.tgz \ out/libtool.oci.tgz - docker build -t imgrep/libxml2 --output type=oci,dest=$@ libxml2 + docker build -t distrust/libxml2 --output type=oci,dest=$@ libxml2 out/libunwind.oci.tgz: \ out/busybox.oci.tgz \ @@ -119,7 +119,7 @@ out/libunwind.oci.tgz: \ out/autoconf.oci.tgz \ out/automake.oci.tgz \ out/libtool.oci.tgz - docker build -t imgrep/libunwind --output type=oci,dest=$@ libunwind + docker build -t distrust/libunwind --output type=oci,dest=$@ libunwind out/openssl.oci.tgz: \ out/gcc.oci.tgz \ @@ -127,7 +127,7 @@ out/openssl.oci.tgz: \ out/busybox.oci.tgz \ out/linux-headers.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/openssl --output type=oci,dest=$@ openssl + docker build -t distrust/openssl --output type=oci,dest=$@ openssl out/go.oci.tgz: \ out/gcc.oci.tgz \ @@ -135,7 +135,7 @@ out/go.oci.tgz: \ out/busybox.oci.tgz \ out/bash.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/go --output type=oci,dest=$@ go + docker build -t distrust/go --output type=oci,dest=$@ go out/perl.oci.tgz: \ out/gcc.oci.tgz \ @@ -143,7 +143,7 @@ out/perl.oci.tgz: \ out/busybox.oci.tgz \ out/make.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/perl --output type=oci,dest=$@ perl + docker build -t distrust/perl --output type=oci,dest=$@ perl out/curl.oci.tgz: \ out/gcc.oci.tgz \ @@ -153,7 +153,7 @@ out/curl.oci.tgz: \ out/binutils.oci.tgz \ out/openssl.oci.tgz \ out/ca-certificates.oci.tgz - docker build -t imgrep/curl --output type=oci,dest=$@ curl + docker build -t distrust/curl --output type=oci,dest=$@ curl out/python.oci.tgz: \ out/gcc.oci.tgz \ @@ -163,7 +163,7 @@ out/python.oci.tgz: \ out/openssl.oci.tgz \ out/make.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/python --output type=oci,dest=$@ python + docker build -t distrust/python --output type=oci,dest=$@ python out/ninja.oci.tgz: \ out/busybox.oci.tgz \ @@ -173,7 +173,7 @@ out/ninja.oci.tgz: \ out/make.oci.tgz \ out/openssl.oci.tgz \ out/python.oci.tgz - docker build -t imgrep/ninja --output type=oci,dest=$@ ninja + docker build -t distrust/ninja --output type=oci,dest=$@ ninja out/cmake.oci.tgz: \ out/busybox.oci.tgz \ @@ -183,12 +183,12 @@ out/cmake.oci.tgz: \ out/musl.oci.tgz \ out/make.oci.tgz \ out/linux-headers.oci.tgz - docker build -t imgrep/cmake --output type=oci,dest=$@ cmake + docker build -t distrust/cmake --output type=oci,dest=$@ cmake out/py-setuptools.oci.tgz: \ out/busybox.oci.tgz \ out/python.oci.tgz - docker build -t imgrep/py-setuptools --output type=oci,dest=$@ py-setuptools + docker build -t distrust/py-setuptools --output type=oci,dest=$@ py-setuptools out/zlib.oci.tgz: \ out/busybox.oci.tgz \ @@ -196,7 +196,7 @@ out/zlib.oci.tgz: \ out/binutils.oci.tgz \ out/musl.oci.tgz \ out/make.oci.tgz - docker build -t imgrep/zlib --output type=oci,dest=$@ zlib + docker build -t distrust/zlib --output type=oci,dest=$@ zlib out/llvm.oci.tgz: \ out/gcc.oci.tgz \ @@ -208,7 +208,7 @@ out/llvm.oci.tgz: \ out/ninja.oci.tgz \ out/busybox.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/llvm --output type=oci,dest=$@ llvm + docker build -t distrust/llvm --output type=oci,dest=$@ llvm out/llvm13.oci.tgz: \ out/gcc.oci.tgz \ @@ -220,7 +220,7 @@ out/llvm13.oci.tgz: \ out/ninja.oci.tgz \ out/busybox.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/llvm13 --output type=oci,dest=$@ llvm13 + docker build -t distrust/llvm13 --output type=oci,dest=$@ llvm13 out/rust.oci.tgz: \ out/gcc.oci.tgz \ @@ -232,16 +232,16 @@ out/rust.oci.tgz: \ out/make.oci.tgz \ out/busybox.oci.tgz \ out/musl.oci.tgz - docker build -t imgrep/rust --output type=oci,dest=$@ rust + docker build -t distrust/rust --output type=oci,dest=$@ rust test: - docker build -t imgrep/test-c tests/c - docker build -t imgrep/test-go tests/go - docker build -t imgrep/test-perl tests/perl + docker build -t distrust/test-c tests/c + docker build -t distrust/test-go tests/go + docker build -t distrust/test-perl tests/perl @printf "\nOcirep Test Suite\n" @printf "go -> " - @docker run -i imgrep/test-go | grep Success + @docker run -i distrust/test-go | grep Success @printf "c -> " - @docker run -i imgrep/test-c | grep Success + @docker run -i distrust/test-c | grep Success @printf "perl -> " - @docker run -i imgrep/test-perl | grep Success + @docker run -i distrust/test-perl | grep Success