12-12, 22:00–22:10 (UTC), Dasharo vPub
A container-native, full-source bootstrapped, reproducible, and multi-signed toolchain to build all the things https://stagex.tools
In our quest to build zero-trust software supply chains at several organizations, we have found it is hard problem. Every existing solution we evaluated was ultimately insufficient for our threat model and use cases. We finally broke down and created an very minimal Linux distribution purpose built for supply chain integrity: Stagex.
Goals:
- Provable reproduction with no asterisks for every artifact
- Drop-in replace most containerized software pipelines
- Build years from now on different hardware with the same results
- Trust no one in our internal software supply chain
- Build using only tools available on most developer workstations
Expect a quick explanation, sharing where we are now, some examples, projects using us in the wild today, and where we plan to go next. Looking for feedback to ensure we can deliver on making reproducible/bootstrappable builds easier for virtually any software project, or comparing to alternatives.
Security Engineer with over 20 years of experience in waiting on operating systems to compile. Former magician, PC repair tech, street entertainer, trucker, day laborer, telemarketer, web developer, tractor salesman, and burger flipper.
Best known for not owning a smartphone, compromising Japanese hotel robots, finding weak entropy flaws across widely used software, software supply chain security publicity stunts, social activism, and implanting random tech in his body.
Actual specialties include Linux infrastructure security, software supply chain security, cryptographic key management, hardware security modules, secure enclaves, remote attestation, vulnerability assessment & mitigation, PII protection, and web application hardening.
Founder of #!, a decentralized hackerspace, and Distrust, a FOSS-focused high-risk security engineering firm. Previously led sysadmin and security engineering efforts at Accesso, Pebble, BitGo, and Turnkey.
Talk to him about decentralization, social issues, mechanical puzzles, plants, weird animals, lockpicking, home manufacturing, homesteading, or anything even remotely related to security and threat modeling.
Relevant: https://distrust.co https://hashbang.sh https://lance.dev https://stagex.tools