←back to thread

Fifty Years of Open Source Software Supply Chain Security

(queue.acm.org)
182 points yarapavan | 1 comments | 07 Apr 25 18:04 UTC | HN request time: 0s | source
Show context
lrvick ◴[07 Apr 25 19:35 UTC] No.43615037[source]
Great coverage, however it failed to mention code review and artifact signing as well as full source bootstrapping which are fundamental defenses most distros skip.

In our distro, Stagex, our threat model assumes at least one maintainer, sysadmin, or computer is compromised at all times.

This has resulted in some specific design choices and practices:

- 100% deterministic, hermetic, reproducible

- full source bootstrapped from 180 bytes of human-auditable machine code

- all commits signed by authors

- all reviews signed by reviewers

- all released artifacts are multi-party reproduced and signed

- fully OCI (container) native all the way down "FROM scratch"

- All packages easily hash-locked to give downstream software easy determinism as well

This all goes well beyond the tactics used in Nix and Guix.

As far as we know, Stagex is the only distro designed to strictly distrust maintainers.

https://stagex.tools

replies(4): >>43616418 #>>43617025 #>>43617119 #>>43621868 #
floxy ◴[07 Apr 25 23:54 UTC] No.43617119[source]
>full source bootstrapped from 180 bytes of human-auditable machine code

What does this mean? You have a C-like compiler in 180 bytes of assembler that can compile a C compiler that can then compile GCC?

replies(2): >>43617264 #>>43617320 #
mananaysiempre ◴[08 Apr 25 00:29 UTC] No.43617264[source]
That’s normally what this means, yes, with a few more intermediate steps. There’s only one bootstrap chain like this that I know of[1,2,3], maintained by Jeremiah Orians and the Guix project; judging from the reference to 180 bytes, that’s what the distro GP describes is using as well.

> This is a set of manually created hex programs in a Cthulhu Path to madness fashion. Which only have the goal of creating a bootstrapping path to a C compiler capable of compiling GCC, with only the explicit requirement of a single 1 KByte binary or less.

[1] https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-...

[2] https://savannah.nongnu.org/projects/stage0/

[3] https://github.com/oriansj/bootstrap-seeds

replies(1): >>43617391 #
floxy ◴[08 Apr 25 00:56 UTC] No.43617391[source]
That's pretty awesome
replies(1): >>43618005 #
lrvick ◴[08 Apr 25 03:02 UTC] No.43618005[source]
Yep, Guix and stagex are the only two distros that full source bootstrap to my knowleldge.

We use an abbreviated and explicit stage0 chain here for easy auditing: https://codeberg.org/stagex/stagex/src/branch/main/packages/...

replies(1): >>43618028 #
1. pabs3 ◴[08 Apr 25 03:08 UTC] No.43618028[source]
IIRC the FreeDesktop flatpak runtimes are also built from the Bootstrappable Builds folks full source bootstrap.