Building a Right Utility Present Chain with GNU Guix

Ludovic Courtès1

The Art, Science, and Engineering of Programming, 2023, Vol. 7, Challenge 1, Article 1


Submission date: 2022-04-28

Publication date: 2022-06-15


Fleshy text: PDF

Linked Artifact:


The application provide chain is changing into a frequent
analogy to designate the series of steps taken to head from provide code
published by builders to executables running on the customers’ computer methods.
A security vulnerability in any of these steps locations customers at possibility, and
proof displays that attacks on the availability chain are changing into extra
general. The penalties of an attack on the applying provide chain can
be tragic in a society that depends on many interconnected application
methods, and this has led evaluate curiosity as well to governmental
incentives for provide chain safety to upward push.

GNU Guix is a application deployment application and application
distribution that supports provenance
tracking, reproducible builds, and reproducible application environments.
Unlike many application distributions, it consists completely of provide
code: it gives a location of package deal definitions that portray how to
fabricate code from provide. Collectively, these properties location it except for
many deployment tools that center on the distribution of binaries.

This paper makes a speciality of one evaluate ask: how can Guix and
a connected methods enable customers to safely substitute their application? Guix
provide code is dispensed utilizing the Git version adjust map;
updating Guix-installed application packages reach, first, updating the
native copy of the Guix provide code. Prior work on genuine application
updates makes a speciality of methods very diversified from Guix—methods equivalent to
Debian, Fedora, or PyPI where updating consists in fetching metadata
about the most fresh binary artifacts obtainable—and is largely inapplicable in
the context of Guix. In distinction, the well-known threats for Guix are attacks
on its provide code repository, which can moreover lead customers to flee
inauthentic code or to downgrade their map. Deployment tools that
extra carefully resemble Guix, from Nix to Portage, both lack genuine
substitute mechanisms or suffer from shortcomings.

Our well-known contribution is a model and application to authenticate fresh
Git revisions. We extra demonstrate how, building on Git semantics, we fabricate
protections in opposition to downgrade attacks and connected threats. We expose
implementation alternatives. This work has been deployed in production two
years within the past, giving us insight on its proper use at scale every single day. The
Git checkout authentication at its core is acceptable beyond the
particular use case of Guix, and we judge it might moreover advantage to developer
teams that use Git.

As attacks on the applying provide chain seem, safety
evaluate is now taking a behold at every hyperlink of the availability chain. Right
updates are one main side of the availability chain, but this paper
also looks to be on the broader context: how Guix units and implements the
provide chain, from upstream provide code to binaries running on
computer methods. Whereas mighty most modern work makes a speciality of attestation—certifying
every hyperlink of the availability chain—Guix takes a extra radical reach:
enabling just verification of every step, building on
reproducible builds, “bootstrappable” builds, and provenance tracking.
The immense portray displays how Guix might moreover be conventional as the foundation of genuine
application provide chains.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button