Description

We have many centralized critical place where a breach would compromising an installation. Simple examples are replaced binaries on the OBS server, disabled updating of repositories on a mirror or blocked notifications about known security issues.

The classic mechanics of having a package source in git and signing build results are not protecting us in these scenarios.

We need to make our development and production cycle transparent and reach a real zero-trust implementation where no single person can modify build artifacts unnoticed and stop informations.

Bit wise reproducible build artifacts play a key role here, but it is also critical to ensure that a noticed differenced is reaching the end user. Same with reported security incidents.

This becomes esp complex when you take into account that network infrastructure might be blocked or spoofed.

A blockchain has the advantage that no single server or network component can become critical. A deployed contract defines the responsible parties and can be used to store the states. It is also possible to validate that it is the current state and not an older one (where for example no security warning was out yet).

Goals

Give the user a simple tool to validate the current state of his used repositories:

  • The used repository is the current state.
  • It is registered to be produced by assigned OBS admin
  • Registered Attestator has proofed same build result
  • Registered Security Team has not warned about the state
  • Hook into zypper via a plugin to be run after "zypper ref"

Roles get assigned by a foundation instance (eg the openSUSE board) via a readable contract deployed on the blockchain.

Note: during the hackweek we can of course only deliver a first prototype demonstrating the approach.

Resources

Git repo

OBS Project

Looking for hackers with the skills:

Nothing? Add some keywords!

This project is part of:

Hack Week 24

Activity

  • about 10 hours ago: ddemaio joined this project.
  • about 12 hours ago: adrianSuSE started this project.
  • about 12 hours ago: adrianSuSE originated this project.

  • Comments

    Be the first to comment!

    Similar Projects

    This project is one of its kind!