[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
12/66: ccs-2021: Add abstract and tweak intro.
From: |
Ludovic Courtès |
Subject: |
12/66: ccs-2021: Add abstract and tweak intro. |
Date: |
Wed, 29 Jun 2022 11:31:58 -0400 (EDT) |
civodul pushed a commit to branch master
in repository maintenance.
commit 247e1ed4c14ce86e0f61001d95197562016142be
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Mon May 3 15:10:22 2021 +0200
ccs-2021: Add abstract and tweak intro.
---
doc/ccs-2021/security.sbib | 10 ++++++++++
doc/ccs-2021/supply-chain.skb | 37 +++++++++++++++++++++++++++++++++----
2 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index 4f432a1..3b9f57b 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -63,6 +63,16 @@
(publisher "USENIX Association")
(month "Aug"))
+(article hinsen2020:staged-computation
+ (author "Konrad Hinsen")
+ (journal "Computing in Science Engineering")
+ (title "Staged Computation: The Technique You Did Not Know You Were Using")
+ (year "2020")
+ (volume "22")
+ (number "4")
+ (pages "99--103")
+ (url "https://dx.doi.org/10.1109/MCSE.2020.2985508"))
+
(misc janneke:mes-web
(title "GNU Mes web site")
(author "Jan Nieuwenhuizen")
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index 7e7174b..4625c3a 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -165,19 +165,37 @@
(bibliography "security.sbib")
-(document :title [Secure Software Supply Chain with GNU Guix]
+(document :title [Building a Secure Software Supply Chain with GNU Guix]
;; :author (list (author :name "Ludovic Courtès"
;; :affiliation "Inria"
;; :address (list "Bordeaux, France")))
(acmart-abstract
- (p [GNU Guix blah blah FIXME.]))
+ (p [The ,(emph [software supply chain]) is becoming a widespread
+analogy to designate the series of steps taken to go from source code
+published by developers to executables running on the users’ computers.
+A security vulnerability in any of these steps puts users at risk, and
+evidence shows that attacks on the supply chain are becoming more
+common.])
+ (p [GNU Guix is a software deployment tool that supports provenance
+tracking, reproducible builds, and reproducible software environments.
+Guix is first and foremost source code: it provides a set of package
+definitions that describe how to build code from source. Together,
+these properties set it apart from many deployment tools that center on
+the distribution of binaries.])
+ (p [This paper focuses on the security of updates with Guix. Guix
+source code is distributed using the Git version control system. Our
+main contribution is a model and tool to authenticate new Git revisions.
+We further show how, building on Git semantics, we build protections
+against downgrade attacks and related threats. We explain
+implementation choices and report on our experience since the mechanism
+entered production use.]))
;; See <http://dl.acm.org/ccs/ccs_flat.cfm>.
(!latex "\\input{categories.tex}\n")
- (acm-keywords [Software deployment, Git, ])
+ (acm-keywords [Software deployment, Security, Git])
(!latex "\\maketitle\n")
@@ -196,7 +214,7 @@ and every upgrade can put users at risk.])
(p [GNU Guix is a set of software deployment tools and a
standalone GNU/Linux distribution; it includes a package manager similar
in spirit to Debian’s apt or Fedora’s yum. Unlike those, Guix builds
-upon the ,(emph [functional deployment model]) pioneered by Nix,(ref
+upon the ,(emph [functional deployment model]) pioneered by Nix ,(ref
:bib "dolstra2004:nix"), a foundation for reproducible deployment,
reproducible builds, and provenance tracking. Guix is essentially a
“source-based” deployment tools: the ,(emph [model]) is that of a system
@@ -243,6 +261,17 @@ different hash. Thus, each store file name uniquely
identifies build
results. This model is the foundation of ,(emph [end-to-end provenance
tracking]): Guix records and uniquely identifies the inputs leading to
build results available in ,(tt [/gnu/store]).])
+ (p [Providing more than 17,000 software packages today, Guix is
+used as a general purpose day-to-day GNU/Linux distribution that
+provides the additional safety net of ,(emph [transactional upgrades and
+rollbacks]): because build results are kept in the store by default, any
+new deployment, of individual packages or whole systems, can be rolled
+back ,(ref :bib '(dolstra2004:nix courtes2013:functional)). Its ability
+to reproduce software environments, bit for bit, at different points in
+time and on different machines, make it a tool of choice in support of
+reproducible computational experiments and software engineering ,(ref
+:bib 'hinsen2020:staged-computation).])
+
(p [Guix, like Nix and unlike Debian or Fedora, is essentially a
,(emph [source-based distribution]): Guix package definitions describe
how to build packages from source. When running a command such as ,(tt
- branch master updated (8bf076b -> 3a4e080), Ludovic Courtès, 2022/06/29
- 01/66: doc: First stab at a "Secure Supply Chain" paper., Ludovic Courtès, 2022/06/29
- 02/66: ccs-2021: Write "Implementation" section., Ludovic Courtès, 2022/06/29
- 05/66: ccs-2021: Move "Notes on SHA-1" under "Implementation"., Ludovic Courtès, 2022/06/29
- 06/66: ccs-2021: Turn on review mode for good., Ludovic Courtès, 2022/06/29
- 03/66: ccs-2021: Tweak main sections., Ludovic Courtès, 2022/06/29
- 12/66: ccs-2021: Add abstract and tweak intro.,
Ludovic Courtès <=
- 07/66: ccs-2021: Discuss in-toto in "Related Work"., Ludovic Courtès, 2022/06/29
- 11/66: ccs-2021: Complete introductions., Ludovic Courtès, 2022/06/29
- 25/66: icse-2022: Final (?) tweaks., Ludovic Courtès, 2022/06/29
- 04/66: ccs-2021: Tweak "related work", add proper references., Ludovic Courtès, 2022/06/29
- 09/66: ccs-2021: Write conclusion., Ludovic Courtès, 2022/06/29
- 21/66: icse-2022: Link to "Git Cryptography Protocol"., Ludovic Courtès, 2022/06/29
- 29/66: programming-2022: Adjust to <Programming> style., Ludovic Courtès, 2022/06/29
- 31/66: programming-2022: Expand "Related Work"., Ludovic Courtès, 2022/06/29
- 32/66: programming-2022: Use a monospace font for code snippets., Ludovic Courtès, 2022/06/29
- 08/66: ccs-2021: Capitalize section titles., Ludovic Courtès, 2022/06/29