rename to stagex
This commit is contained in:
parent
71753e9f0b
commit
e1b1d9671f
6
Makefile
6
Makefile
|
@ -1,6 +1,10 @@
|
||||||
export REGISTRY := local
|
|
||||||
export PLATFORM := linux/amd64
|
export PLATFORM := linux/amd64
|
||||||
export BUILDER := $(shell which docker)
|
export BUILDER := $(shell which docker)
|
||||||
|
export REGISTRY := stagex
|
||||||
|
export MIRRORS := \
|
||||||
|
https://git.distrust.co/${REGISTRY} \
|
||||||
|
${REGISTRY}
|
||||||
|
|
||||||
clean_logs := $(shell rm *.log 2>&1 >/dev/null || :)
|
clean_logs := $(shell rm *.log 2>&1 >/dev/null || :)
|
||||||
|
|
||||||
include src/macros.mk
|
include src/macros.mk
|
||||||
|
|
85
README.md
85
README.md
|
@ -1,4 +1,4 @@
|
||||||
# Packages
|
# Stage[x]
|
||||||
|
|
||||||
Minimalism and security first repository of reproducible and multi-signed OCI
|
Minimalism and security first repository of reproducible and multi-signed OCI
|
||||||
images of common open source software packages full-source bootsrapped from
|
images of common open source software packages full-source bootsrapped from
|
||||||
|
@ -13,6 +13,36 @@ Our aim is to provide a reasonably secure set of toolchains for every major
|
||||||
programming language to be the basis of your containers, build systems,
|
programming language to be the basis of your containers, build systems,
|
||||||
firmware, secure enclaves, or hosting infrastructure.
|
firmware, secure enclaves, or hosting infrastructure.
|
||||||
|
|
||||||
|
## Goals
|
||||||
|
|
||||||
|
Not all of these goals are realized yet, but should at least help you decide
|
||||||
|
if this project is something you want to contribute to or keep an eye on for
|
||||||
|
the future.
|
||||||
|
|
||||||
|
### Integrity
|
||||||
|
|
||||||
|
* Anyone can reproduce the entire tree with tools from their current distro
|
||||||
|
* Hosted CI servers auto-sign confirmed deterministic builds
|
||||||
|
* Like NixOS
|
||||||
|
* Maintainers sign all package additions/changes
|
||||||
|
* Like Gentoo, Debian, Fedora, Guix
|
||||||
|
* Reviewers/Reproducers locally build and counter-sign all new binary packages
|
||||||
|
* No one does this, as far as we can tell
|
||||||
|
|
||||||
|
### Minimalism
|
||||||
|
|
||||||
|
* Based on musl libc
|
||||||
|
* Basis of successful minimal distros like Alpine, Adelie, Talos, Void
|
||||||
|
* Implemented with about 1/4 the code of glibc
|
||||||
|
* Required to produce portable static binaries in some languages
|
||||||
|
* Less prone to buffer overflows
|
||||||
|
* Puts being light, fast, and correct before compatibility
|
||||||
|
* Package using tools you already have
|
||||||
|
* OCI build tool of choice (Docker, Buildah, Podman)
|
||||||
|
* Make (for dependency management)
|
||||||
|
* Prove hashes of bootstrap layer builds match before proceeding
|
||||||
|
* Keep package definitions lean and readable with simple CLI and no magic
|
||||||
|
|
||||||
## Background
|
## Background
|
||||||
|
|
||||||
We have learned a lot of lessons about supply chain integrity over the years,
|
We have learned a lot of lessons about supply chain integrity over the years,
|
||||||
|
@ -48,15 +78,15 @@ human can be hacked or coerced.
|
||||||
|
|
||||||
## Comparison
|
## Comparison
|
||||||
|
|
||||||
A comparison of `packages` to other distros in some of the areas we care about:
|
A comparison of `stagex` to other distros in some of the areas we care about:
|
||||||
|
|
||||||
| Distro | Single-Sig | Multi-Sig |Diver.| Musl | Stage0 | Repro. | Rust Deps |
|
| Distro | Single-Sig | Multi-Sig |Diver.| Musl | Stage0 | Repro. | Rust Deps |
|
||||||
|--------|------------|-----------|------|------|--------|--------|-----------|
|
|--------|------------|-----------|------|------|--------|--------|-----------|
|
||||||
| Stagex | x | p | p | x | x | x | 4 |
|
| Stagex | x | p | p | x | x | x | 4 |
|
||||||
| Guix | x | | | | x | x | 4 |
|
| Guix | x | | | | x | x | 4 |
|
||||||
| Nix | | | | | | ~99% | 4 |
|
| Nix | | | | | | p | 4 |
|
||||||
| Debian | x | | | | | ~95% | 232 |
|
| Debian | x | | | | | p | 232 |
|
||||||
| Arch | x | | | | | ~85% | 262 |
|
| Arch | x | | | | | p | 262 |
|
||||||
| Fedora | x | | | | | | 166 |
|
| Fedora | x | | | | | | 166 |
|
||||||
| Alpine | | | | | x | | 32 |
|
| Alpine | | | | | x | | 32 |
|
||||||
|
|
||||||
|
@ -82,21 +112,24 @@ A comparison of `packages` to other distros in some of the areas we care about:
|
||||||
- The final resulting rust builds can run standalone
|
- The final resulting rust builds can run standalone
|
||||||
- We only actually need musl libc, llvm, and gcc to build most projects
|
- We only actually need musl libc, llvm, and gcc to build most projects
|
||||||
|
|
||||||
## Goals
|
### Signatures
|
||||||
|
|
||||||
Not all of these goals are realized yet, but should at least help you decide
|
* Signatures are made by the PGP public keys in the "keys" directory
|
||||||
if this project is something you want to contribute to or keep an eye on for
|
* Signatures are made by any tool that implements "[Container Signature Format](https://github.com/containers/image/blob/main/docs/containers-signature.5.md)"
|
||||||
the future.
|
* We provide a minimal shell script implementation as a convenience
|
||||||
|
* Podman also [implements support](https://github.com/containers/podman/blob/main/docs/tutorials/image_signing.md) for this signature scheme
|
||||||
### Integrity
|
* Signatures are "PR"ed and committed to this repo as a source of truth
|
||||||
|
* Signatures can be mirrored to any HTTPS url
|
||||||
* Anyone can reproduce the entire tree with tools from their current distro
|
* Container daemons can verify signatures on pull with a [containers-policy.json](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)
|
||||||
* Hosted CI servers auto-sign confirmed deterministic builds
|
* As a policy, we expect all published signers to:
|
||||||
* Like NixOS
|
* Maintain their PGP private keys offline and/or on personal HSMs
|
||||||
* Maintainers sign all package additions/changes
|
* E.g. Nitrokey, Yubikey, Leger, Trezor, etc.
|
||||||
* Like Gentoo, Debian, Fedora, Guix
|
* Maintain a public key in the "keys" folder of this repository
|
||||||
* Reviewers/Reproducers locally build and counter-sign all new binary packages
|
* Maintain a [keyoxide](https://keyoxide.org) profile self-certifying keys
|
||||||
* No one does this, as far as we can tell.
|
* Maintain a [Hagrid](https://keys.openpgp.org) profile with verified UIDs
|
||||||
|
* Make best efforts to meet in person and sign each others keys
|
||||||
|
* Create signatures from highly trusted operating systems
|
||||||
|
* E.g Dedicated QubesOS VM, or a an airgapped signing system
|
||||||
|
|
||||||
### Reproducibility
|
### Reproducibility
|
||||||
|
|
||||||
|
@ -132,20 +165,6 @@ be bootstapped all the way from source code in a deterministic way.
|
||||||
|
|
||||||
For further reading see the [Bootstrappable Builds](https://bootstrappable.org/) Project.
|
For further reading see the [Bootstrappable Builds](https://bootstrappable.org/) Project.
|
||||||
|
|
||||||
### Minimalism
|
|
||||||
|
|
||||||
* Based on musl libc
|
|
||||||
* Basis of successful minimal distros like Alpine, Adelie, Talos, Void
|
|
||||||
* Implemented with about 1/4 the code of glibc
|
|
||||||
* Required to produce portable static binaries in some languages
|
|
||||||
* Less prone to buffer overflows
|
|
||||||
* Puts being light, fast, and correct before compatibility
|
|
||||||
* Package using tools you already have
|
|
||||||
* OCI build tool of choice (Docker, Buildah, Podman)
|
|
||||||
* Make (for dependency management)
|
|
||||||
* Prove hashes of bootstrap layer builds match before proceeding
|
|
||||||
* Keep package definitions lean and readable with simple CLI and no magic
|
|
||||||
|
|
||||||
## Building
|
## Building
|
||||||
|
|
||||||
### Requirements
|
### Requirements
|
||||||
|
|
Reference in New Issue