public
/
stagex
Archived
5
0
Fork 0
Code Issues 1 Pull Requests 1 Packages Projects Releases Wiki Activity
This repository has been archived on 2024-08-04. You can view files and clone it, but cannot push or open issues or pull requests.
stagex/README.md

149 lines
5.2 KiB
Markdown
Raw Permalink Blame History

# Packages
`packages` is a security first repository of [reproducible](https://en.wikipedia.org/wiki/Reproducible_builds) and [cryptographically signed](https://en.wikipedia.org/wiki/Digital_signature) OCI images (used by Docker, Podman, Buildah etc.) of common open source software packages built from source.
These images can be used as part of a secure supply chain strategy for a wide variety of use-cases. Some examples include local environment setup, hardening CI/CD pipelines or bootstrapping Linux distributions used in production.
## Background
We have learned a lot of lessons about supply chain integrity over the years
and the greatest of them may be that any system that is complex to review, and
assigns trust of significant components to individuals, creates enormous single
points of failure which will lead to eventual compromise.
Distros (Linux distributions) rely on complex package management systems for which
only a single implementation exists. They typically generate a lot of custom tooling,
which in turn rapidly grows in complexity to meet demands ranging from hobby desktops to
production servers. This complexity demands a lot of effort to maintain, and in practice
results in a tendency to reduce security overhead in order to lower the barrier to
entry to attract more maintainers. As a result, projects rarely mandate cryptographic
signing or reproducible builds, let alone multiple signed reproduction proofs. In fact,
some popular distros use a server to blindly sign all contributions from the public, which
can give a false sense of security to the unassuming user.
We will cover an exhaustive comparison of the supply chain strategies of other
package management solutions elsewhere, but while many are pursuing reproducible builds,
minimalism, or signing, there isn't a solution which delivers on all of these basic
tenets of supply chain security. `packages` is an attempt to fix this, in order to satisfy
the criteria of reasonably secure supply chain strategy which requires more
than one individual to deterministically build and sign software.
## Goals
Not all of these goals are realized yet, but should at least help you decide
if this project is something you want to contribute to or keep an eye on for
the future.
### Integrity
* Anyone can reproduce the entire tree with tools from their current distro
* Hosted CI servers auto-sign confirmed deterministic builds
* Like NixOS
* Maintainers sign all package additions/changes
* Like Gentoo, Debian, Fedora, Guix
* Reviewers locally build and counter-sign all new binary packages
* **No one does this, as far as we can tell.**
### Reproducibility
* Trust no single external source of binaries
* Bootstrap from two different third party signed distros
* Never use external binaries
* Bootstrap from 0, always, even if it means going back in time
* Go, rust require extensive work to bootstrap all the way back to gcc
* Guix is the only distro that does this for rust to our knowledge
* Full-Source Bootstrap from x86_64 assembly
* Take maximum advantage of the hard won wins by the Guix team
* Bootstrap from guile driver reproduced on multiple signed distros
### Minimalism
* Based on musl libc
* Basis of successful minimal distros like Alpine, Adelie, Talos, Void
* Implemented with about 1/4 the code of glibc
* Required to produce portable static binaries in some languages
* Less prone to buffer overflows
* Puts being light, fast, and correct before compatibility
* Package using tools you already have
* OCI build tool of choice (Docker, Buildah, Podman)
* Make (for dependency management)
* Prove hashes of bootstrap layer builds match before proceeding
* Keep package definitions lean and readable with simple CLI and no magic
## Building
### Requirements
* An OCI building runtime
* Currently Docker supported, but will support Buildah and Podman
* Gnu Make
### Examples
#### Compile all packages
```
make
```
#### Compile specific package
```
make out/rust.tgz
```
#### Reproduce all changed packages
```
make reproduce
```
#### Reproduce all packages without cache
```
make clean reproduce
```
#### Sign current manifest of package hashes
```
make sign
```
## Packaging
Every package should have a minimum of 5 stages as follows
* base
* Based on busybox or bootstrap
* Runs as unprivileged user 1000 (user)
* Sets environment to be shared with fetch, build, and install stages
* Imports dependencies for fetch, build, and install stages
* fetch
* Based on "base"
* Runs as unprivileged user 1000 (user)
* Has internet access
* Obtains any needed source files from the internet
* Verifies sources against hardcoded hashes
* build
* Based on "fetch"
* Runs as unprivileged user 1000 (user)
* Extract sources
* Apply any patches as needed
* Build any artifacts as needed
* install
* Based on "build"
* Elevates privileges to user 0:0 (root)
* Installs all files in /home/user/rootfs owned by root
* Sets all timestamps in /home/user/rootfs to @0 (Unix Epoch)
* package
* Based on scratch
* Copies /home/user/rootfs from "install" to /
* Sets runtime user/perms/env as needed
## Sponsors
- Turnkey
- Distrust
- Mysten Labs
Reference in New Issue View Git Blame Copy Permalink