←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 2 comments | 07 Apr 25 18:04 UTC | HN request time: 0s | source
Show context
lrvick ◴[07 Apr 25 19:35 UTC] No.43615037[source]
Great coverage, however it failed to mention code review and artifact signing as well as full source bootstrapping which are fundamental defenses most distros skip.

In our distro, Stagex, our threat model assumes at least one maintainer, sysadmin, or computer is compromised at all times.

This has resulted in some specific design choices and practices:

- 100% deterministic, hermetic, reproducible

- full source bootstrapped from 180 bytes of human-auditable machine code

- all commits signed by authors

- all reviews signed by reviewers

- all released artifacts are multi-party reproduced and signed

- fully OCI (container) native all the way down "FROM scratch"

- All packages easily hash-locked to give downstream software easy determinism as well

This all goes well beyond the tactics used in Nix and Guix.

As far as we know, Stagex is the only distro designed to strictly distrust maintainers.

https://stagex.tools

replies(4): >>43616418 #>>43617025 #>>43617119 #>>43621868 #
AstralStorm ◴[07 Apr 25 22:00 UTC] No.43616418[source]
Good step.

It doesn't distrust the developers of the software though, so does not fix the biggest hole. Multiparty reproduction does not fix it either, that only distrusts the build system.

The bigger the project, the higher the chance something slips through, if even an exploitable bug. Maybe it's the developer themselves being compromised, or their maintainer.

Reviews are done on what, you have someone reviewing clang code? Binutils?

replies(3): >>43616685 #>>43616980 #>>43618024 #
1. TacticalCoder ◴[07 Apr 25 22:36 UTC] No.43616685[source]
> Reviews are done on what, you have someone reviewing clang code? Binutils?

There aren't random developers pushing commits to these codebases: these are used by virtually every Linux distro out there (OK, maybe not the Kubernetes one that ships only 12 binaries, forgot its name).

It seems obvious to me that GP is talking about protection against rogue distro maintainers, not fundamental packages being backdoored.

You're basically saying: "GP's work is pointless because Linus could insert a backdoor in the Linux kernel".

In addition to that determinism and 100% reproducibility brings another gigantic benefit: should a backdoor ever be found in clang or one of the binutils tool, it's going to be 100% reproducible. And that is a big thing: being able to reproduce a backdoor is a godsend for security.

replies(1): >>43617954 #
2. lrvick ◴[08 Apr 25 02:52 UTC] No.43617954[source]
> OK, maybe not the Kubernetes one that ships only 12 binaries, forgot its name

You are likely thinking of Talos Linux, which incidentally also builds itself with stagex.