←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 2 comments | 07 Apr 25 18:04 UTC | HN request time: 0.438s | source
Show context
lrvick ◴[07 Apr 25 19:35 UTC] No.43615037[source]
Great coverage, however it failed to mention code review and artifact signing as well as full source bootstrapping which are fundamental defenses most distros skip.

In our distro, Stagex, our threat model assumes at least one maintainer, sysadmin, or computer is compromised at all times.

This has resulted in some specific design choices and practices:

- 100% deterministic, hermetic, reproducible

- full source bootstrapped from 180 bytes of human-auditable machine code

- all commits signed by authors

- all reviews signed by reviewers

- all released artifacts are multi-party reproduced and signed

- fully OCI (container) native all the way down "FROM scratch"

- All packages easily hash-locked to give downstream software easy determinism as well

This all goes well beyond the tactics used in Nix and Guix.

As far as we know, Stagex is the only distro designed to strictly distrust maintainers.

https://stagex.tools

replies(4): >>43616418 #>>43617025 #>>43617119 #>>43621868 #
floxy ◴[07 Apr 25 23:54 UTC] No.43617119[source]
>full source bootstrapped from 180 bytes of human-auditable machine code

What does this mean? You have a C-like compiler in 180 bytes of assembler that can compile a C compiler that can then compile GCC?

replies(2): >>43617264 #>>43617320 #
1. skulk ◴[08 Apr 25 00:40 UTC] No.43617320[source]
As per their landing page, yes.

> stage0: < 190 byte x86 assembly seed is reproduced on multiple distros

> stage1: seed builds up to a tiny c compiler, and ultimately x86 gcc

> stage2: x86 gcc bootstraps target architecture cross toolchains

very impressive, I want to try this out now.

replies(1): >>43618029 #
2. pabs3 ◴[08 Apr 25 03:09 UTC] No.43618029[source]
The LWN article is a good place to start:

https://lwn.net/Articles/985739/