33/66: programming-2022: Augment abstract.

[Ludovic Courtès]

civodul pushed a commit to branch master
in repository maintenance.

commit e87665c67796a81bc2be2c5fc8957390137dbe07
Author: Ludovic Courtès <ludo@gnu.org>
AuthorDate: Fri Jan 21 11:49:29 2022 +0100

    programming-2022: Augment abstract.
    
    * doc/programming-2022/supply-chain.skb (acmart-abstract): Augment.
---
 doc/programming-2022/supply-chain.skb | 54 +++++++++++++++++++++++++++++------
 1 file changed, 45 insertions(+), 9 deletions(-)

diff --git a/doc/programming-2022/supply-chain.skb 
b/doc/programming-2022/supply-chain.skb
index 0b317ea..4837937 100644
--- a/doc/programming-2022/supply-chain.skb
+++ b/doc/programming-2022/supply-chain.skb
@@ -157,26 +157,62 @@ area={Security programming}, license=cc-by-sa}\n")
    (acm-keywords [software deployment, security, version control, Git])
 
    (acmart-abstract
-   
+
+      ;; See <https://programming-journal.org/submission/>.
+      ;;
+      ;; Context: supply chain, vulns, executive order, Guix.
+      ;; Inquiry: how can we secure updates? others did nothing
+      ;; Approach: designed secure update
+      ;; Knowledge: provided secure updates
+      ;; Grounding: implemented, deployed
+      ;; Importance: show full deployment solution addressing issues
+
      (p [The ,(emph [software supply chain]) is becoming a widespread
 analogy to designate the series of steps taken to go from source code
 published by developers to executables running on the users’ computers.
 A security vulnerability in any of these steps puts users at risk, and
 evidence shows that attacks on the supply chain are becoming more
-common.])
+common.  The consequences of an attack on the software supply chain can
+be tragic in a society that relies on many interconnected software
+systems, and this has led research interest as well as governmental
+incentives for supply chain security to rise.])
      (p [GNU Guix is a software deployment tool that supports provenance
 tracking, reproducible builds, and reproducible software environments.
 Guix is first and foremost source code: it provides a set of package
 definitions that describe how to build code from source.  Together,
 these properties set it apart from many deployment tools that center on
 the distribution of binaries.])
-     (p [This paper focuses on the security of updates with Guix.  Guix
-source code is distributed using the Git version control system.  Our
-main contribution is a model and tool to authenticate new Git revisions.
-We further show how, building on Git semantics, we build protections
-against downgrade attacks and related threats.  We explain
-implementation choices and report on our experience since the mechanism
-entered production use.]))
+     (p [This paper focuses on one research question: how can Guix and
+similar systems allow users to securely update their software?  Guix
+source code is distributed using the Git version control system;
+updating Guix-installed software packages means, first, updating the
+local copy of the Guix source code.  Prior work on secure software
+updates focuses on systems very different from Guix—systems such as
+Debian, Fedora, or PyPI where updating consists in fetching metadata
+about the latest binary artifacts available—and largely inapplicable in
+the context of Guix.  Deployment tools that more closely resemble Guix,
+from Nix to Portage, either lack secure update mechanisms or suffer from
+shortcomings.])
+     (p [Our main contribution is a model and tool to authenticate new
+Git revisions.  We further show how, building on Git semantics, we build
+protections against downgrade attacks and related threats.  We explain
+implementation choices.  This work has been deployed in production two
+years ago, giving us insight on its actual use at scale every day.  The
+Git checkout authentication at its core is applicable beyond the
+specific use case of Guix, and we think it could benefit to developer
+teams that use Git.])
+     (p [As attacks on the software supply chain appear, security
+research is now looking at every link of the supply chain.  Secure
+updates are one important aspect of the supply chain, but this paper
+also looks at the broader context: how Guix models and implements the
+supply chain, from upstream source code to binaries running on
+computers.  While much recent work focuses on attestation—certifying
+each link of the supply chain—Guix takes a more radical approach:
+enabling independent ,(emph [verification]) of each step, building on
+reproducible builds, “bootstrappable” builds, and provenance tracking.
+The big picture shows how Guix can be used as the foundation of secure
+software supply chains.]))
+
    
    (chapter :title [Introduction]