Towards a Secure Peer-to-Peer App Platform for Clan

Maybe I'm in the same boat as people who didn't get docket before it was popular, but this seems really convoluted to me... is there really a market for this? Why do other existing things not solve this problem?

Yea im sorry. Im not buying this. I dont need protection from apps on my system. I know you think we need it, but I dont believe we need it. creating security systems like this only complicates the operation of apps.

Just a couple examples off the top of my head I have bumped into: Packages that cannot be full source bootstrapped like Haskell are allowed, so total trust is placed in a third party compiler binaries. Also in cases like qemu where binary blob firmware is in the repo, it is kept as is and not rebuilt from source. Determinism is also not mandated so there is no way to know if any of the non deterministic packages were faithfully built from source. There are no hard enforced rules in cases like these, only cultural guidelines that are followed optionally.

Sublime Text for example[0], the source is closed, so what else is there to do

[0]: https://github.com/NixOS/nixpkgs/blob/76701a179d3a98b07653e2... (does a fetch URL against the pre built .tar.gz from https://download.sublimetext.com)

> The convention is now not to do that. I believe a maintainer recently had their commit bit revoked due to doing this. I don't know why it isn't enforced, but it should be.

Unless you actually know who is committing code and who is reviewing it with 100% mandated commit and review signing, with well vetted maintainer keys, anyone can trivially make a PR under a pseudonym, then merge their own code from their maintainer identity. In effect there is no way to know or enforce who is merging their own code without the hard work of long lived maintainer identity key management that most distros other than Nix and Alpine choose to skip. I am the one that submitted an RFC to Nix to fix this, that was ultimately rejected. In that moment Nix had chosen to favor low friction hobby contributions over security, and this Nix was never going to be useful for the high risk applications.

What offends me about Nix is that it skips all this hard work, and has teams of consultants that do not bill it as the hobby/workstation distro that is is, and instead are charging high risk clients money to recommend they trust nix anyway, never disclosing use of nix opens them up for any of thousands of people to have the power to backdoor their servers with low chance of swift detection.

I actually believe this trend of overpromising security in Nix is going to get people hurt.

> The risks you list are shared by many distributions, meanwhile NixOS does better in some fronts

I totally grant it is better at some of these risks, however it is also worse than classic distros on other fronts, lacking maintainer signatures and web of trust requirements of most OG distros like Debian.

To be clear, I would also not recommend Debian or any distro that places trust in single individuals for production use in the high risk applications.

Stagex (which I founded, so all bias on the table) was created because no existing distro before it was willing to hit a responsible supply chain security bar in my opinion I was comfortable recommending for high risk applications.

It is a container native, 100% full source bootstrapped, and deterministic, with every commit signed by one maintainer, and every review/merge signed by a different maintainer, and every artifact built and signed with matching hashes by at least two maintainers. As of our next release we will be LLVM native. Also it relis on the OCI standard and you can use any OCI compatible toolchains to build any package (though our scripts support docker for now).

https://codeberg.org/stagex/stagex/src/branch/staging#compar... can offer a high level comparison across distros in some of the areas we feel matter most.

Stagex was built to satisfy a threat model of trusting no single maintainer or machine, for high security use cases.

We also indeed reject any packages that are currently not possible to build this way because it is not possible to publish package artifacts under the stagex release process that cannot be full source bootstrapped and built deterministically by multiple maintainers on hardware they independently control. This means we reject packages we cannot safely distribute like Haskell and Ada, but while giving best available supply chain security for most popular languages we do support.

Haskell and Ada do not currently have any way to be built without centralized trust unfortunately but efforts are underway in both cases we will adopt when complete. Any exceptions are a place malware can hide, so no exceptions are permitted.

What is the catch? We were willing to ignore desktop use cases, at least for now, in order to hit a high security bar for software build use cases. As such we have dramatically fewer packages which allow us to hold this line. We are primarily a high supply chain security focused build distribution, though we are used to build a number of other specialized distros like Talos Linux, and AirgapOS. The latter runs on laptops but very minimal for use cases like cryptographic key management.

We will also probably never have the number of packages of Nix, but for the overwhelming majority of organizations a trusted toolchain to build their production services is sufficient to eliminate all forms of linux-distribution-level supply chain attacks by any single compromised maintainer or machine.

there is at least one community-managed flake to connect a NixOS machine to an OpenZiti overlay network, but i don't think there is an official NixOS module yet:

github.com/rochecompaan/openziti-nix

if your focus is trying it rather than distributing consistent versions to many folks, you can also use the ziti-edge-tunnel binary, define a systemd service and add identities (a given app or device can belong to (n) OpenZiti overlays via (n) different identities).

So like a docker registry? Not very commonly used for consumer software, granted, but I don't see any technical reasons why it couldn't be!