public
/
website
5
0
Fork 0
Code Issues 4 Pull Requests 4 Packages Projects Releases Wiki Activity

blog draft

This commit is contained in:
Anton Livaja 2025-04-02 16:39:33 -07:00
parent 386e206922
commit a6c76180b5
Signed by: anton
GPG Key ID: 44A86CFF1FDF0E85
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
_posts/2025-04-10-sui-deterministic-node.md Normal file
View File

@ -0,0 +1,25 @@
---
layout: post
title: SUI Blockchain Upgrades to StageX for Supply Chain Security
date: 2025-04-03
---
We are thrilled to announce a significant milestone. Mysten Labs, the creators of the SUI blockchain have been collaborating with Distrust to upgrade the supply chain security of their nodes. They chose to use StageX, an open source toolchain created by Distrust to solve the issues having single points of failure in supply chains. What do we mean by single points of failure?
When building software, currently most projects are trusting that the developers who package and provide foundational building blocks like the packages which are sintalled on the server that's used to build the software is clean. This is hard to prove, because the way the majority of Linux distributions don't use full source bootstrapped compilers, making it nearly impossible to verify that the compiler can be trusted, and their packaged software (dependencies you install using `apk` or `apt`), are not built in a deterministic manner, allowing the maintainers to (intentionally or non-intentionally) introduce flaws into the binaries they package. The integrity hashes which are often available are not reproducible, and the signatures which are provided are a last mile effort to protec the binary from modification between the place it's being downloaded from, and the end user.
This leaves a wide surface area for attacks, which is actively being worked towards being expolited by state funded actors, as evident from the recent xz attack which was a near miss. To answer this, Distrust designed a build system which has answers for this form of attack. Firstly, the toolchain focuses on building a full source bootstrapped compiler to ensure that the compiler can be trusted (read more on "Reflections On Trusting Trust" problem). This eliminates the risk stemming from a compromised compiler. Then all software was forced to build in a bit for bit reproducible manner. This was achieved by ensuring that StageX is both hermetic, and bit for bit reproducible. By doing this, we make it possible to reproduce all of the software used in the toolchain, including the compiler, on a diverse set of systems, with varying operating systems, chipset architectures, and container runtime environments (coming soon), in order to ensure that the software that foundational building blocks of build systems can be trusted. To add another layer of assurance, the maintainers of the StageX distribution do the reproduction and if hashes match, produce PGP signatures, using keys which are only managed in TEE, and are used for signing via smart-cards.
Bitcoin core is another example of a project that also builds their software in this manner as they recognize the risk, but they took a slightly different approach, using Guix. This was a reasonable and viable approach, but lacks some features which StageX felt were essential to add. Firstly we felt that a user experience improvement was necessary to make it easier for a wider audience to make use of the tooling. For this reason we made StageX OCI native, meaning that the whole system is built using container images, making it easy to integrate them into existing containerized environments, significantly improving portability and integration effort required to switch to using StageX. In a lot of cases, switching to StageX is as simple as pulling a StageX image instead of another distribution's like Alpine. The end user gets the same software, except with additional security guarantees.
Because there is a lack of focus on closing off these attack vectors there has been a large shift of attackers looking to exploit supply chains. Projects that run mission critical should invest into upgrading their systems to benefit from the tooling now that it exists. In the past there weren't solutions that make it as easy to achieve a fully hermetic and deterministic build toolchain, but now that it does, there are fewer excuses to not integrate these security controls
Mysten is one of the few forward looking teams that is looking at this type of risk and addressing it in concrete terms. There are a few other companies leading the charge such as Turnkey, a leading digital assets wallet infrastructure company, as well as Sidero, the creators of the widely used Talos Linux distribtuion, widely used by major corporations such as Nokia and . The shift to leveraging full source bootstrappign and hermetic and deterministic builds as a secureity control is a inevitable shift, as there is everythign to gain and nothing to lose.
This partnership goes beyond technical implementation; it represents a shared commitment to advancing security best practices in the industry. Our teams are working closely together, and Mysten has helped fund the research and development of StageX, for the benefit of everyone.
We believe this collaboration sets a powerful example for the industry, demonstrating the significant value that open-source solutions and proactive security measures bring to organizations of all sizes. As we continue to develop tools and strategies for enhancing software supply chain security, partnerships like these play a vital role in driving innovation and setting new standards for secure software development.
Stay tuned for more updates as we continue to strengthen our collaboration, share insights, and deliver results that benefit the wider community.