civodul pushed a commit to branch master
in repository maintenance.
commit bc104ed96d64fbe535b424c4f92586dbd937df23
Author: Ludovic Courtès <[email protected]>
AuthorDate: Tue Jan 25 10:04:08 2022 +0100
programming-2022: Mention prior work upfront in the intro.
* doc/programming-2022/supply-chain.skb (Introduction): Include
paragraph from the abstract stating why prior work is insufficient.
---
doc/programming-2022/supply-chain.skb | 33 ++++++++++++++++++++++++++++-----
1 file changed, 28 insertions(+), 5 deletions(-)
diff --git a/doc/programming-2022/supply-chain.skb
b/doc/programming-2022/supply-chain.skb
index a0ce74f..6dac3cb 100644
--- a/doc/programming-2022/supply-chain.skb
+++ b/doc/programming-2022/supply-chain.skb
@@ -189,7 +189,7 @@ updating Guix-installed software packages means, first,
updating the
local copy of the Guix source code. Prior work on secure software
updates focuses on systems very different from Guix—systems such as
Debian, Fedora, or PyPI where updating consists in fetching metadata
-about the latest binary artifacts available—and largely inapplicable in
+about the latest binary artifacts available—and is largely inapplicable in
the context of Guix. Deployment tools that more closely resemble Guix,
from Nix to Portage, either lack secure update mechanisms or suffer from
shortcomings.])
@@ -246,16 +246,39 @@ allowing users to search for software packages, to
install them, and to
upgrade them. Unlike apt, yum, and many popular package managers, Guix
builds upon the ,(emph [functional deployment model]) pioneered by Nix
,(ref :bib "dolstra2004:nix"), a foundation for reproducible deployment,
-reproducible builds, and provenance tracking. Guix is essentially a
+reproducible and verifiable builds, and provenance tracking. Guix is
essentially a
“source-based” deployment tool: the ,(emph [model]) is that of a system
where every piece of software is built from source, and pre-built
binaries are viewed as a mere optimization and not as a central aspect
of its design.])
- (p [This paper describes the design and implementation of Guix’s
+ (p [This paper focuses on one research question: how can Guix and
+similar systems allow users to securely update their software? Guix
+source code is distributed using the Git version control system;
+updating Guix-installed software packages means, first, updating the
+local copy of the Guix source code. Prior work on secure software
+updates ,(ref :bib '(samuel2010:survivable kuppusamy2017:mercury))
+focuses on systems very different from Guix—systems such as
+Debian, Fedora, or PyPI where updating consists in fetching metadata
+about the latest binary artifacts available—and is largely
+inapplicable in the context of Guix. Deployment tools that more closely
+resemble Guix, from Nix to Portage and BSD Ports ,(ref :bib
+'(dolstra2004:nix brew2022:github condaforge2022:web
+freebsd2022:handbook pkgsrc2022:guide gentoo2022:portage-security)),
+either lack secure update mechanisms or suffer from shortcomings.])
+
+;; (p [More generally, contrary to recent work on supply chain
+;; security that revolves around ,(emph [attestation]) of the various
+;; supply chain links ,(ref :bib '(torresarias2019:intoto google2021:slsa
+;; sigstore2021:web)), Guix takes a radical approach to support ,(emph
+;; [independent verification]).])
+
+ (p [We describe the design and implementation of Guix’s
secure update mechanism. ,(numref :text [Section] :ident "background")
gives background information necessary to understand the overall
-deployment model of Guix. ,(numref :text [Section] :ident "rationale")
+deployment model of Guix, showing how it supports ,(emph [independent
+verification]) of key links of the software supply chain.
+,(numref :text [Section] :ident "rationale")
presents our goals and threat model for the design of secure updates.
,(numref :text [Section] :ident "authenticating") describes our design
of a Git checkout authentication mechanism and ,(numref :text [Section]
@@ -270,7 +293,7 @@ and report on our experience. Last, ,(numref :text
[Section]
(chapter :title [Background] :ident "background"
- (p [Users of free operating systems such as GNU/Linux are used to
+ (p [Users of free operating systems such as GNU/Linux are familiar with
,(emph [package managers]) like Debian's ,(tt [apt]), which allow them
to install, upgrade, and remove software from a large collection of free
software packages. GNU Guix,(footnote (url "https://guix.gnu.org";)) is
