SUSE Hack Week: SUSE Distro Blockchain

Description

We have many centralized critical places where a breach would compromising a user system. Simple examples are replaced binaries on the OBS server, disabled updating of repositories on a mirror or blocked notifications about known security issues.

The classic mechanics of having a package source in source revision system and signing build results are not protecting us in these scenarios.

We need to make our development and production cycle transparent and reach a real zero-trust implementation where no single person can modify build artifacts unnoticed or stop the transport of information. And we need to give the users a simple way to validate the provided content they intend to use.

Bit-wise reproducible build artifacts play a key role here, but it is also critical to ensure that a noticed difference is reaching the end user. Same with reported security incidents.

This becomes esp complex when you take into account that network infrastructure might be blocked or spoofed. A targeted attack against selected users are also unlikely to be discovered.

A blockchain using a p2p network has the advantage that no single server or component can become critical. A deployed contract defines the responsible parties and can be used to store the states. It is also possible to validate that it is the current state and not an older one.

Goals

Give the user a simple tool to validate the current state of his used repositories:

The used repository is the current state.
It is registered to be produced by assigned OBS admin
Registered Attestator has proofed same build result
Registered Security Team has not warned about the state
Hook into zypper via a plugin to be run after "zypper ref"

Roles get assigned by a foundation instance (eg the openSUSE board) via a readable contract deployed on the blockchain.

Note: during the hackweek we can of course only deliver a first prototype demonstrating the approach. The real implementation would require discussion within the project first.