public
/
stagex
Archived
5
0
Fork 0
Code Issues 1 Pull Requests 1 Packages Projects Releases Wiki Activity

update intro and background #1

Closed
anton wants to merge 1 commits from feat/update-readme into main
pull from: feat/update-readme
merge into: public:main
Conversation 1 Commits 1 Files Changed 1 +23 -34
1 changed files with 23 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
README.md
View File

@ -1,43 +1,32 @@
# Packages # Packages
Minimalism and security first repository of reproducible and signed OCI images `packages` is a security first repository of [reproducible](https://en.wikipedia.org/wiki/Reproducible_builds) and [cryptographically signed](https://en.wikipedia.org/wiki/Digital_signature) OCI images (used by Docker, Podman, Buildah etc.) of common open source software packages built from source.
of common open source software packages built from source.
These can be used as a secure supply chain for anything from obtaining local These images can be used as part of a secure supply chain strategy for a wide variety of use-cases. Some examples include local environment setup, hardening CI/CD pipelines or bootstrapping Linux distributions used in production.
tools, to bootstrapping a Linux distribution.
## Background ## Background
We have learned a lot of lessons about supply chain integrity over the years, We have learned a lot of lessons about supply chain integrity over the years
and the greatest of them may be that any system that is complex to review and and the greatest of them may be that any system that is complex to review, and
assigns trust of significant components to single human points of failure, is assigns trust of significant components to individuals, creates enormous single
doomed to have failure. points of failure which will lead to eventual compromise.
Most linux distributions rely on complex package management systems for which Distros (Linux distributions) rely on complex package management systems for which
only a single implementation exists. They assign package signing privileges to only a single implementation exists. They typically generate a lot of custom tooling,
individual maintainers at best. Modern popular distros often fail to even do which in turn rapidly grows in complexity to meet demands ranging from hobby desktops to
this, having a central machine somewhere blindly signing all unsigned production servers. This complexity demands a lot of effort to maintain, and in practice
contributions from the public. results in a tendency to reduce security overhead in order to lower the barrier to
entry to attract more maintainers. As a result, projects rarely mandate cryptographic
signing or reproducible builds, let alone multiple signed reproduction proofs. In fact,
some popular distros use a server to blindly sign all contributions from the public, which
can give a false sense of security to the unassuming user.
We will cover an exhaustive comparison of the supply chain strategies of other We will cover an exhaustive comparison of the supply chain strategies of other
package management solutions elsewhere, but suffice to say while many are package management solutions elsewhere, but while many are pursuing reproducible builds,
pursuing reproducible builds, minimalism, or signing... any one solution minimalism, or signing, there isn't a solution which delivers on all of these basic
delivering on all of these does not seem in the cards any time soon. tenets of supply chain security. `packages` is an attempt to fix this, in order to satisfy
the criteria of reasonably secure supply chain strategy which requires more
This is generally a human problem. Most solutions end up generating a lot of than one individual to deterministically build and sign software.
custom tooling for package management, which in turn rapidly grows in
complexity to meet demands ranging from hobby desktop systems production
servers.
This complexity demands a lot of cycles to maintain, and this means in practice
lowering the barrier to entry to allow any hobbyist to contribute and maintain
packages with minimal friction and rarely a requirement of signing keys or
mandatory reproducible builds, let alone multiple signed reproduction proofs.
Suffice to say, we feel every current Linux package management solution and
container supply chain has single points of human failure, or review
complexity, that makes it undesirable for threat models that assume any single
human can be hacked or coerced.
## Goals ## Goals
@ -53,7 +42,7 @@ the future.
* Maintainers sign all package additions/changes * Maintainers sign all package additions/changes
* Like Gentoo, Debian, Fedora, Guix * Like Gentoo, Debian, Fedora, Guix
* Reviewers locally build and counter-sign all new binary packages * Reviewers locally build and counter-sign all new binary packages
* No one does this, as far as we can tell. * **No one does this, as far as we can tell.**
### Reproducibility ### Reproducibility
@ -86,7 +75,7 @@ the future.
### Requirements ### Requirements
* An OCI building runtime * An OCI building runtime
* Currently Docker supported, but will support buildah and podman * Currently Docker supported, but will support Buildah and Podman
* Gnu Make * Gnu Make
### Examples ### Examples
@ -126,7 +115,7 @@ make sign
Every package should have a minimum of 5 stages as follows Every package should have a minimum of 5 stages as follows
* base * base
* based on busybox or bootstrap * Based on busybox or bootstrap
* Runs as unprivileged user 1000 (user) * Runs as unprivileged user 1000 (user)
* Sets environment to be shared with fetch, build, and install stages * Sets environment to be shared with fetch, build, and install stages
* Imports dependencies for fetch, build, and install stages * Imports dependencies for fetch, build, and install stages