We often use pre-built software binaries and trust that they correspond to the program we want. But nothing assures that these binaries were really built from the program's sources and reasonable built instructions. Common, costly supply chain attacks exploit this to distribute malicious software. Trustix, a tool developed by Tweag's Adam Höse, establishes trust in binaries in a different, decentralized manner increasing security and opening up exciting new models for distributed software supply chains and reproducibility checking.
In a nutshell, Trustix verifies the build process that maps build inputs (source code, build instructions, build dependencies) into build outputs (e.g. software binaries) via consensus-based comparison of build logs from several providers. This comparison is only meaningful in ecosystems with a sizeable amount of reproducible packages such as Nix or Guix that recently gain a lot of traction. A byproduct of Trustix is, that reproducibility of software can be tracked on the large scale, across a wide range of hardware and systems.
In this episode, Rok and Adam shine light on the inception, internals and various use cases of Trustix. Check it out and don't forget to look at the support material linked on the Episode's website on compositional.fm.
- NixOps PR — As promised, here is the link to the NixOps PR that was discussed.
- Trustix Introduction — Blog post on Tweag that gives an overview of Trustix.
- The NLNet project page — Trustix is funded by the NLNet foundation via the European Comission's Next Generation Internet program.
- Merkle Tree — As promised, the Wikipedia article about Merkle trees.
- SpectrumOS — Discussions about the particular security model of this operating system initiated the Trustix idea.