guix
/
maintenance
mirror of git://git.savannah.gnu.org/guix/maintenance.git
2
0
Fork 0
Code Issues Releases Wiki Activity

talks: Add Galois talk. 

* talks/galois-2023: New directory.
This commit is contained in:
Ludovic Courtès 2023-04-24 23:02:17 +02:00
parent 66e2c2a5cb
commit 9092bc9ce4
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
28 changed files with 1334 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
talks/galois-2023/.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
images/commit-*.pdf
images/waving-hand.pdf
images/bootstrap*.pdf

1
talks/galois-2023/images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg

1
talks/galois-2023/images/Guix-white.pdf Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2021/declaratively/images/Guix-white.pdf

1
talks/galois-2023/images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg

1
talks/galois-2023/images/birthday-cake.jpg Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/birthday-cake.jpg

330
talks/galois-2023/images/bootstrap-full-source.dot Normal file
View File

@ -0,0 +1,330 @@
digraph "Guix package" {
"140434441202256" [label = "make-boot0@4.3", shape = box, fontname = sans];
"140434441202256" -> "140434441175568" [color = dimgrey];
"140434441202256" -> "140434441203488" [color = dimgrey];
"140434441202256" -> "140434441203136" [color = dimgrey];
"140434441202256" -> "140434441175392" [color = dimgrey];
"140434441202256" -> "140434441202432" [color = dimgrey];
"140434441202256" -> "140434441202784" [color = dimgrey];
"140434441202256" -> "140434441175744" [color = dimgrey];
"140434441202256" -> "140434441175920" [color = dimgrey];
"140434441202256" -> "140434441176272" [color = dimgrey];
"140434441202256" -> "140434441176800" [color = dimgrey];
"140434441202256" -> "140434441176624" [color = dimgrey];
"140434441202256" -> "140434441177504" [color = dimgrey];
"140434441202256" -> "140434441122144" [color = dimgrey];
"140434441202256" -> "140434441178912" [color = dimgrey];
"140434441202256" -> "140434696318752" [color = dimgrey];
"140434441175568" [label = "bash-mesboot@5.1.16", shape = box, fontname = sans];
"140434441175568" -> "140434441175744" [color = red];
"140434441175568" -> "140434441175920" [color = red];
"140434441175568" -> "140434441176272" [color = red];
"140434441175568" -> "140434441176800" [color = red];
"140434441175568" -> "140434441176624" [color = red];
"140434441175568" -> "140434441177504" [color = red];
"140434441175568" -> "140434696318400" [color = red];
"140434441175568" -> "140434441122144" [color = red];
"140434441175568" -> "140434441178912" [color = red];
"140434441175568" -> "140434441123376" [color = red];
"140434441175568" -> "140434441123200" [color = red];
"140434441175568" -> "140434441123552" [color = red];
"140434441175568" -> "140434696318752" [color = red];
"140434441175744" [label = "gcc-mesboot-wrapper@4.9.4", shape = box, fontname = sans];
"140434441175744" -> "140434441123376" [color = peachpuff4];
"140434441175744" -> "140434441123200" [color = peachpuff4];
"140434441175744" -> "140434441176272" [color = peachpuff4];
"140434441175744" -> "140434441175920" [color = peachpuff4];
"140434441123376" [label = "gash-boot@0.3.0", shape = box, fontname = sans];
"140434441123376" -> "140434441123552" [color = red];
"140434441123376" -> "140434696318752" [color = red];
"140434441123552" [label = "bootar@1b", shape = box, fontname = sans];
"140434441123552" -> "140434696318752" [color = magenta];
"140434696318752" [label = "guile-bootstrap@2.0", shape = box, fontname = sans];
"140434441123200" [label = "gash-utils-boot@0.2.0", shape = box, fontname = sans];
"140434441123200" -> "140434441123552" [color = darkseagreen];
"140434441123200" -> "140434441123376" [color = darkseagreen];
"140434441123200" -> "140434696318752" [color = darkseagreen];
"140434441176272" [label = "glibc-mesboot@2.16.0", shape = box, fontname = sans];
"140434441176272" -> "140434441176448" [color = darkseagreen];
"140434441176272" -> "140434441176800" [color = darkseagreen];
"140434441176272" -> "140434441176624" [color = darkseagreen];
"140434441176272" -> "140434441177152" [color = darkseagreen];
"140434441176272" -> "140434441177504" [color = darkseagreen];
"140434441176272" -> "140434696318400" [color = darkseagreen];
"140434441176272" -> "140434441178032" [color = darkseagreen];
"140434441176272" -> "140434441122144" [color = darkseagreen];
"140434441176272" -> "140434441178912" [color = darkseagreen];
"140434441176272" -> "140434441123376" [color = darkseagreen];
"140434441176272" -> "140434441123200" [color = darkseagreen];
"140434441176272" -> "140434441123552" [color = darkseagreen];
"140434441176272" -> "140434696318752" [color = darkseagreen];
"140434441176448" [label = "glibc-headers-mesboot@2.16.0", shape = box, fontname = sans];
"140434441176448" -> "140434441178208" [color = dimgrey];
"140434441176448" -> "140434441176800" [color = dimgrey];
"140434441176448" -> "140434441176624" [color = dimgrey];
"140434441176448" -> "140434441177152" [color = dimgrey];
"140434441176448" -> "140434441177504" [color = dimgrey];
"140434441176448" -> "140434696318400" [color = dimgrey];
"140434441176448" -> "140434441178032" [color = dimgrey];
"140434441176448" -> "140434441122144" [color = dimgrey];
"140434441176448" -> "140434441178912" [color = dimgrey];
"140434441176448" -> "140434441123376" [color = dimgrey];
"140434441176448" -> "140434441123200" [color = dimgrey];
"140434441176448" -> "140434441123552" [color = dimgrey];
"140434441176448" -> "140434696318752" [color = dimgrey];
"140434441178208" [label = "mesboot-headers@0.24.2", shape = box, fontname = sans];
"140434441178208" -> "140434696318400" [color = darkgoldenrod];
"140434441178208" -> "140434441122144" [color = darkgoldenrod];
"140434441178208" -> "140434441178912" [color = darkgoldenrod];
"140434441178208" -> "140434441121792" [color = darkgoldenrod];
"140434441178208" -> "140434441121968" [color = darkgoldenrod];
"140434441178208" -> "140434441123376" [color = darkgoldenrod];
"140434441178208" -> "140434441123200" [color = darkgoldenrod];
"140434441178208" -> "140434441123552" [color = darkgoldenrod];
"140434441178208" -> "140434696318752" [color = darkgoldenrod];
"140434696318400" [label = "linux-libre-headers-bootstrap@0", shape = box, fontname = sans];
"140434441122144" [label = "gzip-mesboot@1.2.4", shape = box, fontname = sans];
"140434441122144" -> "140434441122320" [color = darkviolet];
"140434441122144" -> "140434441123376" [color = darkviolet];
"140434441122144" -> "140434441123200" [color = darkviolet];
"140434441122144" -> "140434441123552" [color = darkviolet];
"140434441122144" -> "140434696318752" [color = darkviolet];
"140434441122320" [label = "tcc-boot0@0.9.26-1136-g5bba73cc", shape = box, fontname = sans];
"140434441122320" -> "140434441122496" [color = darkseagreen];
"140434441122320" -> "140434441122672" [color = darkseagreen];
"140434441122320" -> "140434441123376" [color = darkseagreen];
"140434441122320" -> "140434441123200" [color = darkseagreen];
"140434441122320" -> "140434441123552" [color = darkseagreen];
"140434441122320" -> "140434696318752" [color = darkseagreen];
"140434441122496" [label = "mes-boot@0.24.2", shape = box, fontname = sans];
"140434441122496" -> "140434441122672" [color = peachpuff4];
"140434441122496" -> "140434441123376" [color = peachpuff4];
"140434441122496" -> "140434441123200" [color = peachpuff4];
"140434441122496" -> "140434441123552" [color = peachpuff4];
"140434441122496" -> "140434696318752" [color = peachpuff4];
"140434441122672" [label = "stage0-posix@1.4", shape = box, fontname = sans];
"140434441122672" -> "140434441123024" [color = dimgrey];
"140434441122672" -> "140434441123376" [color = dimgrey];
"140434441122672" -> "140434441123200" [color = dimgrey];
"140434441122672" -> "140434441123552" [color = dimgrey];
"140434441122672" -> "140434696318752" [color = dimgrey];
"140434441123024" [label = "bootstrap-seeds@1.0.0", shape = box, fontname = sans];
"140434441123024" -> "140434441123552" [color = peachpuff4];
"140434441178912" [label = "patch-mesboot@2.5.9", shape = box, fontname = sans];
"140434441178912" -> "140434441121968" [color = blue];
"140434441178912" -> "140434441122320" [color = blue];
"140434441178912" -> "140434441123376" [color = blue];
"140434441178912" -> "140434441123200" [color = blue];
"140434441178912" -> "140434441123552" [color = blue];
"140434441178912" -> "140434696318752" [color = blue];
"140434441121968" [label = "make-mesboot0@3.80", shape = box, fontname = sans];
"140434441121968" -> "140434441122320" [color = darkseagreen];
"140434441121968" -> "140434441123376" [color = darkseagreen];
"140434441121968" -> "140434441123200" [color = darkseagreen];
"140434441121968" -> "140434441123552" [color = darkseagreen];
"140434441121968" -> "140434696318752" [color = darkseagreen];
"140434441121792" [label = "tcc-boot@0.9.27", shape = box, fontname = sans];
"140434441121792" -> "140434441122496" [color = red];
"140434441121792" -> "140434441121968" [color = red];
"140434441121792" -> "140434441122320" [color = red];
"140434441121792" -> "140434441123376" [color = red];
"140434441121792" -> "140434441123200" [color = red];
"140434441121792" -> "140434441123552" [color = red];
"140434441121792" -> "140434696318752" [color = red];
"140434441176800" [label = "binutils-mesboot@2.20.1a", shape = box, fontname = sans];
"140434441176800" -> "140434441177152" [color = dimgrey];
"140434441176800" -> "140434441177680" [color = dimgrey];
"140434441176800" -> "140434441177504" [color = dimgrey];
"140434441176800" -> "140434696318400" [color = dimgrey];
"140434441176800" -> "140434441178032" [color = dimgrey];
"140434441176800" -> "140434441122144" [color = dimgrey];
"140434441176800" -> "140434441178912" [color = dimgrey];
"140434441176800" -> "140434441123376" [color = dimgrey];
"140434441176800" -> "140434441123200" [color = dimgrey];
"140434441176800" -> "140434441123552" [color = dimgrey];
"140434441176800" -> "140434696318752" [color = dimgrey];
"140434441177152" [label = "gcc-mesboot1@4.6.4", shape = box, fontname = sans];
"140434441177152" -> "140434441177680" [color = blue];
"140434441177152" -> "140434441177504" [color = blue];
"140434441177152" -> "140434441177856" [color = blue];
"140434441177152" -> "140434696318400" [color = blue];
"140434441177152" -> "140434441178032" [color = blue];
"140434441177152" -> "140434441122144" [color = blue];
"140434441177152" -> "140434441178912" [color = blue];
"140434441177152" -> "140434441123376" [color = blue];
"140434441177152" -> "140434441123200" [color = blue];
"140434441177152" -> "140434441123552" [color = blue];
"140434441177152" -> "140434696318752" [color = blue];
"140434441177680" [label = "binutils-mesboot1@2.20.1a", shape = box, fontname = sans];
"140434441177680" -> "140434441177856" [color = darkseagreen];
"140434441177680" -> "140434696318400" [color = darkseagreen];
"140434441177680" -> "140434441178032" [color = darkseagreen];
"140434441177680" -> "140434441178736" [color = darkseagreen];
"140434441177680" -> "140434441122144" [color = darkseagreen];
"140434441177680" -> "140434441178912" [color = darkseagreen];
"140434441177680" -> "140434441121968" [color = darkseagreen];
"140434441177680" -> "140434441123376" [color = darkseagreen];
"140434441177680" -> "140434441123200" [color = darkseagreen];
"140434441177680" -> "140434441123552" [color = darkseagreen];
"140434441177680" -> "140434696318752" [color = darkseagreen];
"140434441177856" [label = "gcc-mesboot0@2.95.3", shape = box, fontname = sans];
"140434441177856" -> "140434441178032" [color = peachpuff4];
"140434441177856" -> "140434696318400" [color = peachpuff4];
"140434441177856" -> "140434441178736" [color = peachpuff4];
"140434441177856" -> "140434441178384" [color = peachpuff4];
"140434441177856" -> "140434441122144" [color = peachpuff4];
"140434441177856" -> "140434441178912" [color = peachpuff4];
"140434441177856" -> "140434441121968" [color = peachpuff4];
"140434441177856" -> "140434441123376" [color = peachpuff4];
"140434441177856" -> "140434441123200" [color = peachpuff4];
"140434441177856" -> "140434441123552" [color = peachpuff4];
"140434441177856" -> "140434696318752" [color = peachpuff4];
"140434441178032" [label = "glibc-mesboot0@2.2.5", shape = box, fontname = sans];
"140434441178032" -> "140434441178208" [color = darkseagreen];
"140434441178032" -> "140434441178736" [color = darkseagreen];
"140434441178032" -> "140434441178384" [color = darkseagreen];
"140434441178032" -> "140434441122144" [color = darkseagreen];
"140434441178032" -> "140434441178912" [color = darkseagreen];
"140434441178032" -> "140434441121968" [color = darkseagreen];
"140434441178032" -> "140434441123376" [color = darkseagreen];
"140434441178032" -> "140434441123200" [color = darkseagreen];
"140434441178032" -> "140434441123552" [color = darkseagreen];
"140434441178032" -> "140434696318752" [color = darkseagreen];
"140434441178736" [label = "binutils-mesboot0@2.20.1a", shape = box, fontname = sans];
"140434441178736" -> "140434441122144" [color = darkgoldenrod];
"140434441178736" -> "140434441178912" [color = darkgoldenrod];
"140434441178736" -> "140434441121792" [color = darkgoldenrod];
"140434441178736" -> "140434441121968" [color = darkgoldenrod];
"140434441178736" -> "140434441123376" [color = darkgoldenrod];
"140434441178736" -> "140434441123200" [color = darkgoldenrod];
"140434441178736" -> "140434441123552" [color = darkgoldenrod];
"140434441178736" -> "140434696318752" [color = darkgoldenrod];
"140434441178384" [label = "gcc-core-mesboot0@2.95.3", shape = box, fontname = sans];
"140434441178384" -> "140434441178736" [color = peachpuff4];
"140434441178384" -> "140434441122144" [color = peachpuff4];
"140434441178384" -> "140434441178912" [color = peachpuff4];
"140434441178384" -> "140434441121792" [color = peachpuff4];
"140434441178384" -> "140434441121968" [color = peachpuff4];
"140434441178384" -> "140434441123376" [color = peachpuff4];
"140434441178384" -> "140434441123200" [color = peachpuff4];
"140434441178384" -> "140434441123552" [color = peachpuff4];
"140434441178384" -> "140434696318752" [color = peachpuff4];
"140434441177504" [label = "make-mesboot@3.82", shape = box, fontname = sans];
"140434441177504" -> "140434441177856" [color = cyan3];
"140434441177504" -> "140434696318400" [color = cyan3];
"140434441177504" -> "140434441178032" [color = cyan3];
"140434441177504" -> "140434441178736" [color = cyan3];
"140434441177504" -> "140434441122144" [color = cyan3];
"140434441177504" -> "140434441178912" [color = cyan3];
"140434441177504" -> "140434441121968" [color = cyan3];
"140434441177504" -> "140434441123376" [color = cyan3];
"140434441177504" -> "140434441123200" [color = cyan3];
"140434441177504" -> "140434441123552" [color = cyan3];
"140434441177504" -> "140434696318752" [color = cyan3];
"140434441176624" [label = "gawk-mesboot@3.1.8", shape = box, fontname = sans];
"140434441176624" -> "140434441177152" [color = darkviolet];
"140434441176624" -> "140434441177680" [color = darkviolet];
"140434441176624" -> "140434441177504" [color = darkviolet];
"140434441176624" -> "140434696318400" [color = darkviolet];
"140434441176624" -> "140434441178032" [color = darkviolet];
"140434441176624" -> "140434441122144" [color = darkviolet];
"140434441176624" -> "140434441178912" [color = darkviolet];
"140434441176624" -> "140434441123376" [color = darkviolet];
"140434441176624" -> "140434441123200" [color = darkviolet];
"140434441176624" -> "140434441123552" [color = darkviolet];
"140434441176624" -> "140434696318752" [color = darkviolet];
"140434441175920" [label = "gcc-mesboot@4.9.4", shape = box, fontname = sans];
"140434441175920" -> "140434441176096" [color = red];
"140434441175920" -> "140434441176448" [color = red];
"140434441175920" -> "140434441176272" [color = red];
"140434441175920" -> "140434441176800" [color = red];
"140434441175920" -> "140434441176624" [color = red];
"140434441175920" -> "140434441177152" [color = red];
"140434441175920" -> "140434441177504" [color = red];
"140434441175920" -> "140434696318400" [color = red];
"140434441175920" -> "140434441122144" [color = red];
"140434441175920" -> "140434441178912" [color = red];
"140434441175920" -> "140434441123376" [color = red];
"140434441175920" -> "140434441123200" [color = red];
"140434441175920" -> "140434441123552" [color = red];
"140434441175920" -> "140434696318752" [color = red];
"140434441176096" [label = "gcc-mesboot1-wrapper@4.6.4", shape = box, fontname = sans];
"140434441176096" -> "140434441123376" [color = cyan3];
"140434441176096" -> "140434441123200" [color = cyan3];
"140434441176096" -> "140434441176272" [color = cyan3];
"140434441176096" -> "140434441177152" [color = cyan3];
"140434441203488" [label = "coreutils-mesboot@9.1", shape = box, fontname = sans];
"140434441203488" -> "140434441175392" [color = darkviolet];
"140434441203488" -> "140434441175744" [color = darkviolet];
"140434441203488" -> "140434441175920" [color = darkviolet];
"140434441203488" -> "140434441176272" [color = darkviolet];
"140434441203488" -> "140434441176800" [color = darkviolet];
"140434441203488" -> "140434441176624" [color = darkviolet];
"140434441203488" -> "140434441177504" [color = darkviolet];
"140434441203488" -> "140434696318400" [color = darkviolet];
"140434441203488" -> "140434441122144" [color = darkviolet];
"140434441203488" -> "140434441178912" [color = darkviolet];
"140434441203488" -> "140434441123376" [color = darkviolet];
"140434441203488" -> "140434441123200" [color = darkviolet];
"140434441203488" -> "140434441123552" [color = darkviolet];
"140434441203488" -> "140434696318752" [color = darkviolet];
"140434441175392" [label = "sed-mesboot@4.8", shape = box, fontname = sans];
"140434441175392" -> "140434441175744" [color = dimgrey];
"140434441175392" -> "140434441175920" [color = dimgrey];
"140434441175392" -> "140434441176272" [color = dimgrey];
"140434441175392" -> "140434441176800" [color = dimgrey];
"140434441175392" -> "140434441176624" [color = dimgrey];
"140434441175392" -> "140434441177504" [color = dimgrey];
"140434441175392" -> "140434696318400" [color = dimgrey];
"140434441175392" -> "140434441122144" [color = dimgrey];
"140434441175392" -> "140434441178912" [color = dimgrey];
"140434441175392" -> "140434441123376" [color = dimgrey];
"140434441175392" -> "140434441123200" [color = dimgrey];
"140434441175392" -> "140434441123552" [color = dimgrey];
"140434441175392" -> "140434696318752" [color = dimgrey];
"140434441203136" [label = "grep-mesboot@3.8", shape = box, fontname = sans];
"140434441203136" -> "140434441175392" [color = cyan3];
"140434441203136" -> "140434441175744" [color = cyan3];
"140434441203136" -> "140434441175920" [color = cyan3];
"140434441203136" -> "140434441176272" [color = cyan3];
"140434441203136" -> "140434441176800" [color = cyan3];
"140434441203136" -> "140434441176624" [color = cyan3];
"140434441203136" -> "140434441177504" [color = cyan3];
"140434441203136" -> "140434696318400" [color = cyan3];
"140434441203136" -> "140434441122144" [color = cyan3];
"140434441203136" -> "140434441178912" [color = cyan3];
"140434441203136" -> "140434441123376" [color = cyan3];
"140434441203136" -> "140434441123200" [color = cyan3];
"140434441203136" -> "140434441123552" [color = cyan3];
"140434441203136" -> "140434696318752" [color = cyan3];
"140434441202432" [label = "tar-mesboot@1.34", shape = box, fontname = sans];
"140434441202432" -> "140434441202784" [color = cyan3];
"140434441202432" -> "140434441175744" [color = cyan3];
"140434441202432" -> "140434441175920" [color = cyan3];
"140434441202432" -> "140434441176272" [color = cyan3];
"140434441202432" -> "140434441176800" [color = cyan3];
"140434441202432" -> "140434441176624" [color = cyan3];
"140434441202432" -> "140434441177504" [color = cyan3];
"140434441202432" -> "140434696318400" [color = cyan3];
"140434441202432" -> "140434441122144" [color = cyan3];
"140434441202432" -> "140434441178912" [color = cyan3];
"140434441202432" -> "140434441123376" [color = cyan3];
"140434441202432" -> "140434441123200" [color = cyan3];
"140434441202432" -> "140434441123552" [color = cyan3];
"140434441202432" -> "140434696318752" [color = cyan3];
"140434441202784" [label = "xz-mesboot@5.2.8", shape = box, fontname = sans];
"140434441202784" -> "140434441175744" [color = cyan3];
"140434441202784" -> "140434441175920" [color = cyan3];
"140434441202784" -> "140434441176272" [color = cyan3];
"140434441202784" -> "140434441176800" [color = cyan3];
"140434441202784" -> "140434441176624" [color = cyan3];
"140434441202784" -> "140434441177504" [color = cyan3];
"140434441202784" -> "140434696318400" [color = cyan3];
"140434441202784" -> "140434441122144" [color = cyan3];
"140434441202784" -> "140434441178912" [color = cyan3];
"140434441202784" -> "140434441123376" [color = cyan3];
"140434441202784" -> "140434441123200" [color = cyan3];
"140434441202784" -> "140434441123552" [color = cyan3];
"140434441202784" -> "140434696318752" [color = cyan3];
}

1
talks/galois-2023/images/bootstrap-graph-further-reduced.dot Symbolic link
View File

@ -0,0 +1 @@
../../packaging-con-2021/grail/images/bootstrap-graph-further-reduced.dot

1
talks/galois-2023/images/bootstrap-graph-reduced.dot Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2020/containers/images/bootstrap-graph-reduced.dot

1
talks/galois-2023/images/bootstrap-graph.dot Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2020/containers/images/bootstrap-graph.dot

1
talks/galois-2023/images/commit-graph-intro.dot Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/commit-graph-intro.dot

1
talks/galois-2023/images/commit-graph-with-authorizations-bad.dot Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/commit-graph-with-authorizations-bad.dot

1
talks/galois-2023/images/commit-graph-with-authorizations.dot Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/commit-graph-with-authorizations.dot

1
talks/galois-2023/images/commit-graph.dot Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/commit-graph.dot

1
talks/galois-2023/images/delorean.jpg Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2020/containers/images/delorean.jpg

1
talks/galois-2023/images/deniable-compiler-backdoors.png Symbolic link
View File

@ -0,0 +1 @@
../../packaging-con-2021/grail/images/deniable-compiler-backdoors.png

1
talks/galois-2023/images/github-verification-statuses.png Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/github-verification-statuses.png

1
talks/galois-2023/images/inria-white-2019.pdf Symbolic link
View File

@ -0,0 +1 @@
../../jcad-2021/images/inria-white-2019.pdf

BIN
talks/galois-2023/images/nature-scientific-data-2022.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

1
talks/galois-2023/images/programming-paper.pdf Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/programming-paper.pdf

1
talks/galois-2023/images/reflections-on-trusting-trust.png Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2020/containers/images/reflections-on-trusting-trust.png

1
talks/galois-2023/images/reproducible-builds.pdf Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2020/containers/images/reproducible-builds.pdf

1
talks/galois-2023/images/rusting-trust.png Symbolic link
View File

@ -0,0 +1 @@
../../packaging-con-2021/grail/images/rusting-trust.png

1
talks/galois-2023/images/software-heritage-logo-title-white.pdf Symbolic link
View File

@ -0,0 +1 @@
../../be-rse-2020/images/software-heritage-logo-title-white.pdf

1
talks/galois-2023/images/strawhorse-attack.pdf Symbolic link
View File

@ -0,0 +1 @@
../../packaging-con-2021/grail/images/strawhorse-attack.pdf

1
talks/galois-2023/images/tuf.png Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/tuf.png

1
talks/galois-2023/images/waving-hand.svg Symbolic link
View File

@ -0,0 +1 @@
../../fosdem-2023/security/images/waving-hand.svg

25
talks/galois-2023/rules.ini Normal file
View File

@ -0,0 +1,25 @@
;; Rules for Rubber.
[dot-pdf]
target = (.*)\.pdf
source = \1.dot
rule = shell
cost = 0
command = dot -Tpdf -Gratio=.56 -o $target $source
message = rendering $source into $target
[fdp-pdf]
target = (.*)\.pdf
source = \1.fdp
rule = shell
cost = 0
command = fdp -Tpdf -Gratio=.78 -o $target $source
message = rendering $source into $target (FDP)
[svg-pdf]
target = (.*)\.pdf
source = \1.svg
rule = shell
cost = 1
command = inkscape --export-pdf=$target $source
message = converting $source to $target

953
talks/galois-2023/talk.tex Normal file
View File

@ -0,0 +1,953 @@
% The comment below tells Rubber to compile the .dot files.
%
% rubber: module graphics
% rubber: rules rules.ini
% Make sure URLs are broken on hyphens.
% See <https://tex.stackexchange.com/questions/3033/forcing-linebreaks-in-url>.
\RequirePackage[hyphens]{url}
\documentclass[aspectratio=169]{beamer}
\usetheme{default}
\usefonttheme{structurebold}
% Nice sans-serif font.
\usepackage[sfdefault,lining]{FiraSans} %% option 'sfdefault' activates Fira Sans as the default text font
\renewcommand*\oldstylenums[1]{{\firaoldstyle #1}}
% Nice monospace font.
\usepackage{inconsolata}
\usepackage[utf8]{inputenc}
\PassOptionsToPackage{hyphens}{url}\usepackage{hyperref,xspace,multicol}
\usepackage[absolute,overlay]{textpos}
\usepackage{tikz}
\usetikzlibrary{arrows,shapes,trees,shadows,positioning,backgrounds}
\usepackage{fancyvrb} % for '\Verb'
\usepackage{xifthen} % for '\isempty'
% Remember the position of every picture.
\tikzstyle{every picture}+=[remember picture]
\tikzset{onslide/.code args={<#1>#2}{%
\only<#1>{\pgfkeysalso{#2}} % \pgfkeysalso doesn't change the path
}}
% Colors.
\definecolor{guixred1}{RGB}{226,0,38} % red P
\definecolor{guixorange1}{RGB}{243,154,38} % guixorange P
\definecolor{guixyellow}{RGB}{254,205,27} % guixyellow P
\definecolor{guixred2}{RGB}{230,68,57} % red S
\definecolor{guixred3}{RGB}{115,34,27} % dark red
\definecolor{guixorange2}{RGB}{236,117,40} % guixorange S
\definecolor{guixtaupe}{RGB}{134,113,127} % guixtaupe S
\definecolor{guixgrey}{RGB}{91,94,111} % guixgrey S
\definecolor{guixdarkgrey}{RGB}{46,47,55} % guixdarkgrey S
\definecolor{guixblue1}{RGB}{38,109,131} % guixblue S
\definecolor{guixblue2}{RGB}{10,50,80} % guixblue S
\definecolor{guixgreen1}{RGB}{133,146,66} % guixgreen S
\definecolor{guixgreen2}{RGB}{157,193,7} % guixgreen S
\setbeamerfont{title}{size=\huge}
\setbeamerfont{frametitle}{size=\huge}
\setbeamerfont{normal text}{size=\Large}
% White-on-black color theme.
\setbeamercolor{structure}{fg=guixorange1,bg=black}
\setbeamercolor{title}{fg=white,bg=black}
\setbeamercolor{date}{fg=guixorange1,bg=black}
\setbeamercolor{frametitle}{fg=white,bg=black}
\setbeamercolor{titlelike}{fg=white,bg=black}
\setbeamercolor{normal text}{fg=white,bg=black}
\setbeamercolor{alerted text}{fg=guixyellow,bg=black}
\setbeamercolor{section in toc}{fg=white,bg=black}
\setbeamercolor{section in toc shaded}{fg=white,bg=black}
\setbeamercolor{subsection in toc}{fg=guixorange1,bg=black}
\setbeamercolor{subsection in toc shaded}{fg=white,bg=black}
\setbeamercolor{subsubsection in toc}{fg=guixorange1,bg=black}
\setbeamercolor{subsubsection in toc shaded}{fg=white,bg=black}
\setbeamercolor{frametitle in toc}{fg=white,bg=black}
\setbeamercolor{local structure}{fg=guixorange1,bg=black}
\newcommand{\highlight}[1]{\alert{\textbf{#1}}}
\title{Building a Secure Software Supply Chain with GNU Guix}
\author{Ludovic Courtès}
\date{24 April 2023}
\setbeamertemplate{navigation symbols}{} % remove the navigation bar
\newcommand{\screenshot}[2][width=\paperwidth]{
\begin{frame}[plain]
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt]
{\includegraphics[{#1}]{#2}};
\end{tikzpicture}
\end{frame}
}
\begin{document}
\begin{frame}[plain, fragile]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)] {
% https://fr.wikipedia.org/wiki/Sceau#/media/Fichier:Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg
\includegraphics[width=1.2\textwidth]{images/Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg}
};
\node [at=(current page.center), fill=black, opacity=.4,
text width=1.3\textwidth, text height=\textheight] {
};
\node [at=(current page.south east), anchor=south east, inner sep=5mm] {
{\includegraphics[width=0.2\paperwidth]{images/inria-white-2019}}
};
\end{tikzpicture}
\vspace{17mm}
\Huge{\textbf{Building a Secure\\
Software Supply Chain\\
with GNU Guix}}
\\[15mm]
\large{Ludovic Courtès}
\\[2mm]
\alert{\textbf{Galois Tech Talk}, \oldstylenums{24 April 2023}}
\vfill{}
\end{frame}
\setbeamercolor{normal text}{bg=black}
\begin{frame}[plain, fragile]
\begin{tikzpicture}[overlay]
\node [at=(current page.center), inner sep=0mm, rotate=-1] {
\includegraphics[width=1.02\paperwidth, trim=0 0 0 30mm]{images/birthday-cake}
};
\node [at=(current page.center), fill=black, opacity=.6,
text width=1.3\textwidth, text height=\textheight] {
};
\node [at=(current page.south), anchor=south, text=white, inner sep=15pt]
{\Large{\url{https://guix.gnu.org}}};
\end{tikzpicture}
\Large{
\begin{itemize}
\item Guix started in \textbf{2012}
\item tools for \textbf{reproducible software deployment}
\item runs standalone (Guix System) or atop a \textbf{GNU/Linux} distro
\item \highlight{$\approx$22,000 packages}, all free software
\item \highlight{$\approx$100 monthly contributors}
\end{itemize}
}
\end{frame}
\setbeamercolor{normal text}{fg=white,bg=black}
\begin{frame}[fragile]
\begin{semiverbatim}
\LARGE{
guix \alert{install} ocaml coq emacs
guix \alert{install} rust vim
guix package \alert{--roll-back}
}
\end{semiverbatim}
\end{frame}
\begin{frame}[fragile]
\begin{semiverbatim}
\LARGE{
guix shell \alert{--manifest}=manifest.scm --container
}
\Large{
(\alert{specifications->manifest}
'("coreutils" "grep" "sed"
"ocaml" "guile" "guile-ocaml"))
}
\end{semiverbatim}
\end{frame}
\setbeamercolor{normal text}{bg=guixdarkgrey}
\begin{frame}[fragile]
\begin{semiverbatim}
\Large{
bob@laptop$ guix shell \alert{--manifest}=manifest.scm
bob@laptop$ guix \alert{describe}
guix cabba9e
repository URL: https://git.sv.gnu.org/git/guix.git
commit: cabba9e15900d20927c1f69c6c87d7d2a62040fe
\pause
alice@supercomp$ guix \alert{pull} --commit=cabba9e
alice@supercomp$ guix shell \alert{--manifest}=manifest.scm
}
\end{semiverbatim}
\end{frame}
\begin{frame}[fragile]
\begin{tikzpicture}[remember picture, overlay]
% https://commons.wikimedia.org/wiki/File:TeamTimeCar.com-BTTF_DeLorean_Time_Machine-OtoGodfrey.com-JMortonPhoto.com-07.jpg
\node [at=(current page.center), inner sep=0pt]
{\includegraphics[width=\paperwidth]{images/delorean}};
\node [rounded corners=4, text centered, anchor=north,
text width=10cm,
inner sep=3mm, opacity=.75, text opacity=1]
at (current page.center) {
\textbf{\Huge{travel in space \emph{and} time!}}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)] {
\includegraphics[width=0.8\paperwidth]{images/nature-scientific-data-2022}
};
\node [at=(current page.south), anchor=south, text=guixdarkgrey,
fill=white, opacity=.8, text opacity=1, inner sep=2mm] {
Nature Scientific Data, Oct. 2022,
\url{https://doi.org/10.1038/s41597-022-01720-9}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixgrey}
\begin{frame}[fragile]
\begin{semiverbatim}
(\alert{define-public} hello
(\alert{package}
(name "hello")
(version "2.12.1")
(source (\alert{origin}
(method url-fetch)
(uri (string-append \tikz[baseline]{\node(source)[anchor=base]{"mirror://gnu/hello/hello-"};}
version ".tar.gz"))
(sha256 (base32 "0wqd\textrm{...}dz6"))))
(build-system gnu-build-system)
(inputs (list gnu-gettext))
(synopsis "Greetings, Programming!")
(description "That's what a Guix package looks like.")
(home-page "https://gnu.org/s/hello")
(license license:gpl3+)))
\end{semiverbatim}
\begin{tikzpicture}[overlay]
\node<2->(swh) [inner sep=3mm, rounded corners, fill=black,
opacity=.3, text opacity=1] at (12,7) {
% https://annex.softwareheritage.org/public/logo/
\includegraphics[width=0.33\textwidth]{images/software-heritage-logo-title-white}
};
\node<2-> [at=(current page.south), anchor=south,
inner sep=2mm, rounded corners, fill=black, text width=13cm,
opacity=.3, text opacity=1] {
\url{https://www.softwareheritage.org/2019/04/18/software-heritage-and-gnu-guix-join-forces-to-enable-long-term-reproducibility/}
};
\path<2->[very thick, draw=guixorange1]
(swh) edge [out=-90, in=0, ->] (source);
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\screenshot[width=.8\paperwidth]{images/reproducible-builds}
\setbeamercolor{normal text}{bg=guixdarkgrey}
\begin{frame}[plain]
\LARGE{
$\texttt{emacs} = f(\texttt{gtk+}, \texttt{gcc}, \texttt{make}, \texttt{coreutils})$
\\[1.1cm]
\uncover<2->{$\texttt{gtk+} = g(\texttt{glib}, \texttt{gcc}, \texttt{make}, \texttt{coreutils})$}
\\[1.1cm]
\uncover<3->{$\texttt{gcc} = h(\texttt{make}, \texttt{coreutils}, \texttt{gcc}_0)$}
\\[1.1cm]
\uncover<3->{\textrm{...}}
}
\uncover<1>{\large{where $f =$ \texttt{./configure \&\& make \&\& make install}}}
%% \begin{tikzpicture}[overlay]
%% \node<4->[fill=guixorange1, text=black, text opacity=1, opacity=.7,
%% rounded corners=2mm, inner sep=5mm] at (5, 1) {
%% \textbf{\Large{the complete DAG is captured}}
%% };
%% \end{tikzpicture}
\end{frame}
%% \begin{frame}[fragile]
%% \begin{tikzpicture}[overlay]
%% \node [at=(current page.north west), anchor=north west,
%% outer sep=4mm, text=white, text width=13mm]{
%% \texttt{configure},
%% \texttt{src/hello.c},
%% GCC,\\
%% Binutils,
%% etc.
%% };
%% \node [at=(current page.center), outer sep=3mm, font=\rmfamily]{
%% {\fontfamily{roman}\fontsize{45}{45}{$f(x,y,z)$}}
%% };
%% \end{tikzpicture}
%% \end{frame}
\setbeamercolor{normal text}{bg=black}
\setbeamercolor{normal text}{bg=black}
\begin{frame}[fragile, plain]
%% \frametitle{Bit-Reproducible Builds$^*$}
%% \framesubtitle{$^*$ almost!}
\begin{semiverbatim}
\Large{
\$ guix build hello
\uncover<2->{/gnu/store/\tikz[baseline]{\node[anchor=base](nixhash){\alert<2>{h2g4sf72\textrm{...}}};}-hello-2.12.1}
\uncover<3->{\$ \alert<3>{guix gc -{-}references /gnu/store/\textrm{...}-hello-2.12.1}
/gnu/store/\textrm{...}-glibc-2.33
/gnu/store/\textrm{...}-gcc-10.3.0-lib
/gnu/store/\textrm{...}-hello-2.12.1
}}
\end{semiverbatim}
\begin{tikzpicture}[overlay]
\node<1>(labelnixhash) [fill=white, text=black, inner sep=0.5cm,
rounded corners] at (current page.center) {%
\Large{\textbf{isolated build}: chroot, separate name spaces, etc.}
};
\node<2>(labelnixhash) [fill=white, text=black] at (4cm, 2cm) {%
hash of \textbf{all} the dependencies};
\path[->]<2>(labelnixhash.north) edge [bend left, in=180, out=-45] (nixhash.south);
\draw<4-> (-10pt, 105pt) [very thick, color=guixorange2, rounded corners=8pt]
arc (10:-50:-50pt and 110pt);
\node<4>[fill=white, text=black, text opacity=1, opacity=.7,
rounded corners=2mm, inner sep=5mm]
at (7, 2) {\textbf{\Large{(nearly) bit-identical for everyone}}};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixblue2}
\begin{frame}[fragile]
\begin{semiverbatim}
$ \alert{guix challenge} --substitute-urls="https://ci.guix.gnu.org https://example.org"
\alert{/gnu/store/\dots{}-openssl-1.0.2d contents differ}:
local hash: 0725l22\dots{}
http://ci.guix.gnu.org/\dots{}-openssl-1.0.2d: 0725l22\dots{}
http://example.org/\dots{}-openssl-1.0.2d: 1zy4fma\dots{}
\alert{/gnu/store/\dots{}-git-2.5.0 contents differ}:
local hash: 00p3bmr\dots{}
http://ci.guix.gnu.org/\dots{}-git-2.5.0: 069nb85\dots{}
http://example.org/\dots{}-git-2.5.0: 0mdqa9w\dots{}
\alert{/gnu/store/\dots{}-pius-2.1.1 contents differ}:
local hash: 0k4v3m9\dots{}
http://ci.guix.gnu.org/\dots{}-pius-2.1.1: 0k4v3m9\dots{}
http://example.org/\dots{}-pius-2.1.1: 1cy25x1\dots{}
\end{semiverbatim}
\end{frame}
\setbeamercolor{normal text}{bg=black}
\setbeamercolor{normal text}{fg=black,bg=white}
\begin{frame}[fragile]
\vspace{2.5cm}
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt,
drop shadow={opacity=0.5}, draw, color=guixgrey, line width=1pt]
{\includegraphics[height=0.9\paperheight]{images/reflections-on-trusting-trust}};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)]{
\includegraphics[width=.6\paperwidth]{images/bootstrappable}
};
\node [at=(current page.south), anchor=south, text=black, text opacity=.7] {
\url{https://bootstrappable.org}
};
\end{tikzpicture}
\end{frame}
\begin{frame}[fragile]
\vspace{2.5cm}
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt, rotate=8,
drop shadow={opacity=0.5}, draw, color=guixgrey, line width=1pt]
{\includegraphics[width=0.9\paperwidth]{images/strawhorse-attack}};
\node<1> [at=(current page.south), anchor=south, color=guixgrey,
fill=white, opacity=.5, text opacity=1]
{\url{https://theintercept.com/2015/03/10/ispy-cia-campaign-steal-apples-secrets/}};
% https://theintercept.com/document/2015/03/10/strawhorse-attacking-macos-ios-software-development-kit/
\node<2-> [at=(current page.center), inner sep=0pt, rotate=-4,
drop shadow={opacity=0.5}, draw, color=guixgrey, line width=1pt]
{\includegraphics[width=0.8\paperwidth]{images/rusting-trust}};
\node<2> [at=(current page.south), anchor=south, color=guixgrey,
fill=white, opacity=.5, text opacity=1]
{\url{https://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/}};
\node<3-> [at=(current page.center), inner sep=0pt, rotate=2,
drop shadow={opacity=0.5}, draw, color=guixgrey, line width=1pt]
{\includegraphics[width=0.9\paperwidth]{images/deniable-compiler-backdoors}};
\node<3> [at=(current page.south), anchor=south, color=guixgrey,
fill=white, opacity=.5, text opacity=1]
{\url{https://www.alchemistowl.org/pocorgtfo/pocorgtfo08.pdf}};
% TODO: SolarWinds
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[plain]
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt]
{\includegraphics[height=\paperheight]{images/bootstrap-graph}};
\node<2-> [at=(current page.center), anchor=north, inner sep=20pt, text=guixgrey]
{\Large{\textbf{250 MiB of binary blobs}}};
\end{tikzpicture}
\end{frame}
\begin{frame}[plain]
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt]
{\includegraphics[height=0.9\paperheight]{images/bootstrap-graph-reduced}};
\node<2-> [at=(current page.center), fill=guixorange1, rounded corners=10pt,
inner sep=10pt, opacity=.8, text opacity=1]
{\Large{\textbf{250 MiB $\rightarrow$ 130 MiB of binary blobs}}};
\node<2-> [at=(current page.south), anchor=south,
inner sep=2mm, outer sep=3mm, rounded corners,
fill=white, opacity=.7, text opacity=1, text=black]
{\url{https://guix.gnu.org/en/blog/2019/guix-reduces-bootstrap-seed-by-50/}};
\end{tikzpicture}
\end{frame}
\begin{frame}[plain]
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt]
{\includegraphics[height=.6\paperheight]{images/bootstrap-graph-further-reduced}};
\node<2-> [at=(current page.center), fill=guixorange1, rounded corners=10pt,
inner sep=10pt, opacity=.8, text opacity=1]
{\Large{\textbf{130 MiB $\rightarrow$ 60 MiB of binary blobs}}};
\node<2-> [at=(current page.south), anchor=south,
inner sep=2mm, outer sep=3mm, rounded corners,
fill=white, opacity=.7, text opacity=1, text=black]
{\url{https://guix.gnu.org/en/blog/2020/guix-further-reduces-bootstrap-seed-to-25/}};
\end{tikzpicture}
\end{frame}
\begin{frame}[plain]
\begin{tikzpicture}[remember picture, overlay]
\node [at=(current page.center), inner sep=0pt]
{\includegraphics[height=0.6\paperheight]{images/bootstrap-full-source}};
\node<2-> [at=(current page.center), fill=guixorange1, rounded corners=10pt,
inner sep=10pt, opacity=.8, text opacity=1]
{\Large{\textbf{60 MiB $\rightarrow$ 0.5 MiB of source/binary!}}};
\node<2-> [at=(current page.south), anchor=south,
inner sep=2mm, outer sep=3mm, rounded corners,
fill=white, opacity=.7, text opacity=1, text=black]
{\url{https://archive.fosdem.org/2021/schedule/event/gnumes/}};
\node<2-> [at=(current page.north east), anchor=north east,
fill=white, text=guixdarkgrey, draw=guixblue1,
rounded corners=10pt, text width=8cm, fill=guixyellow,
inner sep=10pt, outer sep=3mm, opacity=.5, text opacity=1]
{\href{https://archive.fosdem.org/2021/schedule/event/gnumes/}{\large{$\rightarrow$
``\textbf{GNU Mes---The Full-Source Bootstrap}'' Jan Nieuwenhuizen, FOSDEM \oldstylenums{2021}}}};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixgreen2}
\begin{frame}[plain]
\vfill{\Huge{\textbf{Ensuring secure updates.}}}
\end{frame}
\setbeamercolor{normal text}{bg=guixdarkgrey}
\begin{frame}[fragile]
\LARGE{
\begin{semiverbatim}
$ \alert{guix pull}
Updating channel 'guix' from Git repository...
\end{semiverbatim}
}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)] {
\includegraphics[width=\textwidth]{images/tuf}
};
\node [at=(current page.south), anchor=south, text=black, text opacity=.7] {
\url{https://theupdateframework.org}
};
\node<2-> [at=(current page.center), fill=black,
text=guixorange1, opacity=.6, text opacity=1.,
shape=circle, inner sep=10pt] {
\Huge{\textbf{?}}
};
\end{tikzpicture}
\end{frame}
\begin{frame}[plain, fragile, t]
\vspace{5mm}
\large{
\begin{tikzpicture}[box/.style = {
rounded corners=2mm,
fill=white, text=black, text width=4.8cm,
inner sep=2mm
},
server/.style = {
text centered, rounded corners=2mm,
fill=guixorange1, text=black, text width=3.4cm,
inner sep=3mm
},
note/.style = {
rounded corners=4, text centered,
fill=guixorange1, text width=5.5cm,
inner sep=3mm, rotate=5, opacity=.75, text opacity=1,
drop shadow={opacity=0.5}
}]
\matrix[row sep=1.8cm, column sep=0.4cm] {
%% \node(source)[box]{\texttt{http://\textrm{...}/Python-3.9.6.tar.gz}};
%% & &
%% \\
\node(def)[box]{\texttt{(define python\\
~~~(package \textrm{...}))}};
& & \node<2->(user)[server]{user};
\\
\node(build)[box]{\texttt{guix build python}
\texttt{/gnu/store/\textrm{...}-python-3.9.6}};
& & \node<3->(hydra)[server]{build~farm};
\\
& \node(savannah)[server, draw=guixblue2, thick]{\textbf{Git repository}}; &
\\
};
%% \path[->, very thick, draw=guixblue2]
%% (source) edge node[left]{download} node[right, text=guixblue2]{hash} (def);
\path[->, very thick, draw=guixblue2]
(def) edge node[left, text=guixblue2]{test} (build);
\path[->, very thick, draw=guixblue2]
(build) edge[->, in=110, out=-70] node[above, sloped, text=guixblue2]{\texttt{git push}}
(savannah);
\path<3->[<-, very thick, dashed, draw=guixblue2, text=guixblue2]
(user) edge node[right, text=guixblue2]{get binaries} (hydra);
\path<3->[<-, very thick, draw=guixblue2]
(hydra) edge[out=-90, in=0] node(farmpull)[right, text=guixblue2]{pull} (savannah.east);
\path<2->[<-, very thick, draw=guixblue2]
(user.south west) edge[in=80, out=200] node(userpull)[above, sloped, text=guixblue2]{\texttt{guix pull}}
(savannah);
\node<4> [at=(farmpull.center), shape=circle, inner sep=10mm,
fill=guixred2, opacity=0.3,
draw=guixred3, very thick] {};
\node<4> [at=(userpull.center), shape=circle, inner sep=10mm,
fill=guixred2, opacity=0.3,
draw=guixred3, very thick] {};
%% \node[note, rotate=3] at (2,1) {\Large{no ``maintainer uploads''}};
%% \node[note, rotate=-10] at (-2,-1) {\Large{no single point of trust}};
\end{tikzpicture}
}
\end{frame}
%% \definecolor{pieceofcakebg}{RGB}{230,223,179} %{90,87,70}
%% \setbeamercolor{normal text}{bg=pieceofcakebg}
%% \screenshot[width=0.8\textwidth]{images/piece-of-cake}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)] {
\includegraphics[width=1.12\textwidth]{images/github-verification-statuses}
};
\node [at=(current page.south), anchor=south, text=black,
opacity=.7, inner sep=5mm] {
\url{https://docs.github.com/en/authentication/managing-commit-signature-verification}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixred3}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)] {
% https://commons.wikimedia.org/wiki/File:1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg?uselang=fr
\includegraphics[width=1.25\textwidth]{images/1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals}
};
\node [at=(current page.center), fill=black, opacity=.3,
text width=1.3\textwidth, text height=\textheight] {
};
\end{tikzpicture}
\huge{
\begin{quotation}
\begin{flushright}
\textbf{authenticate}: \textit{establish the authenticity~of~something}
\\[4mm]
\textbf{authenticity}: \textit{undisputed credibility}
\end{flushright}
\end{quotation}
}
\hfill{\large{--- WordNet}}
\end{frame}
\setbeamercolor{normal text}{bg=guixblue1}
\begin{frame}[fragile]
\LARGE{
\begin{itemize}
\item assume \textbf{attacker might gain access to the repo}
\item protect against \textbf{malicious changes}
\item ... including \textbf{downgrade attacks}
\item<2-> support \textbf{off-line authentication}
\item<2-> support \textbf{changing authorizations}
\end{itemize}
}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)]{
\includegraphics[height=\paperheight]{images/commit-graph}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixdarkgrey}
\begin{frame}[fragile, plain]
\begin{textblock}{12}(1,2)
\begin{semiverbatim}
\Large{
(\tikz[baseline]{\node[anchor=base](file){\alert{authorizations}};}
(version 0)
;; Authorized committers OpenPGP fingerprints:
(("AD17 A21E F8AE D8F1 CC02 DBD9 F8AE D8F1 765C 61E3"
(name "alice"))
("2A39 3FFF 68F4 EF7A 3D29 12AF 68F4 EF7A 22FB B2D5"
(name "bob"))
("CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"
(name "charlie"))))
}
\end{semiverbatim}
\end{textblock}
\begin{tikzpicture}[overlay]
\node<1> (filelabel) [at=(current page.north east),
anchor=north east, inner sep=4mm, outer sep=4mm, fill=white, opacity=.8,
text=black, rounded corners=2mm] {
\Large{The \texttt{.guix-authorizations} file}
};
\path<1> [->, very thick, draw=white]
(filelabel) edge [out=180, in=30] (file);
\end{tikzpicture}
\end{frame}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center), text width=\textwidth, rounded
corners=2mm, draw=guixorange1, very thick, inner sep=5mm] {
\Huge{Commit is authentic \textit{if and only if} \textbf{signed by
one of the keys} in the \texttt{.guix-authorizations} file of each
parent commit. \par}
};
\node [at=(current page.south), anchor=south, inner sep=10mm, text opacity=.8] {
\Large{\textbf{the ``authorization invariant''}}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)]{
\includegraphics[height=\paperheight]{images/commit-graph-with-authorizations}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)]{
\includegraphics[height=\paperheight]{images/commit-graph-with-authorizations-bad}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixtaupe}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)]{
% https://commons.wikimedia.org/wiki/File:383-waving-hand-1.svg
\includegraphics[width=0.6\textwidth]{images/waving-hand}
};
\node [at=(current page.center), fill=white, opacity=.4,
text width=1.3\textwidth, text height=\textheight] {
};
\node [at=(current page.center), text=black] {
\Huge{\textbf{introducing a repository}}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center)]{
\includegraphics[height=\paperheight]{images/commit-graph-intro}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixdarkgrey}
\begin{frame}[fragile, plain]
\hspace{1mm}
\begin{semiverbatim}
\Large{
(\alert{channel}
(name 'my-channel)
(url "https://example.org/my-channel.git")
(introduction
(\alert{make-channel-introduction}
"6f0d8cc0d88abb59c324b2990bfee2876016bb86"
(openpgp-fingerprint
"CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"))))
}
\end{semiverbatim}
\end{frame}
\begin{frame}[fragile, plain, t]
\vspace{20mm}
\Large{
\begin{semiverbatim}
$ \alert<1>{guix pull} \only<2>{\alert{-{-}url=https://example.org/mirror.git}}\uncover<3>{\alert{-{-}url=https://example.org/evil.git}}
Updating channel 'guix' from Git repository...
\textbf<1>{Authenticating channel 'guix'}, 329 new commits...
\only<2>{\highlight{warning:} using a mirror, which might be stale}\uncover<3->{\highlight{error:} commit c4bba93 not signed by an authorized key}
\end{semiverbatim}
}
\end{frame}
\begin{frame}[fragile, plain]
\begin{semiverbatim}
\Large{
$ \alert{guix git authenticate} \\
6f0d8cc0d88abb59c324b2990bfee2876016bb86 \\
"CABB A931 C0FF EEC6 900D 0CFB 090B 1199 3D9A EBB5"\uncover<2->{ \\
\alert{-{-}keyring}=\textit{my-keyring-branch}}
}
\end{semiverbatim}
\end{frame}
\setbeamercolor{normal text}{bg=guixred3}
\begin{frame}[fragile]
\vfill{\Huge{\textbf{What about downgrade attacks?}}}
\end{frame}
\setbeamercolor{normal text}{bg=guixdarkgrey}
\begin{frame}[fragile]
\begin{semiverbatim}
\Large{
$ guix \alert{describe}
guix cabba9e
repository URL: https://git.sv.gnu.org/git/guix.git
commit: cabba9e15900d20927c1f69c6c87d7d2a62040fe
\pause
$ guix \alert{pull}
Updating channel 'guix' from Git repository...
\highlight{error:} \textbf{commit c0ff33e is not a descendant of cabba9e}
}
\end{semiverbatim}
\end{frame}
\setbeamercolor{normal text}{bg=guixgrey}
\begin{frame}[fragile, plain]
\begin{semiverbatim}
\Large{
\$ guix system \alert{describe}
file name: /var/guix/profiles/system-126-link
label: GNU with Linux-Libre 5.4.15
bootloader: grub-efi
\alert{channels}:
guix:
repository URL: https://git.savannah.gnu.org/\textsf{\dots{}}
commit: 93f4511eb0c9b33f5083c2a04f4148e0a494059c
\alert{configuration file}: /gnu/store/\textsf{\dots{}}-configuration.scm
\pause
\$ guix system \alert{reconfigure} /etc/config.scm
\highlight{error:} \textbf{commit c4bba93 is not a descendant of 93f451}
}
\end{semiverbatim}
\end{frame}
\setbeamercolor{normal text}{bg=guixgreen2}
\begin{frame}[plain]
\vfill{\Huge{\textbf{Wrap-up \& outlook.}}}
\end{frame}
\setbeamercolor{normal text}{bg=guixblue2}
\begin{frame}[plain]
\LARGE{
\begin{itemize}
\item \textbf{authenticated Git checkouts}\\ $\rightarrow$ safe Guix updates!
\item \textbf{in-band, off-line}: authentication + authorization data
is in Git
\item<2-> protection against \textbf{downgrade attacks}
\item<2-> deployed in Guix \textbf{since mid-2020}
\end{itemize}
}
\begin{tikzpicture}[overlay]
\node<1> at (9,1) [text width=50mm,
align=center, inner sep=5mm, rotate=10, rounded corners=2mm,
fill=guixorange1, text=white] {
\LARGE{\textbf{You can use it on your Git repo!}}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[plain, fragile]
\begin{tikzpicture}[overlay]
\node [at=(current page.center), inner sep=0pt] {
\includegraphics[width=0.9\paperwidth, trim=0 400px 0 0]{images/programming-paper}
};
\node [at=(current page.north), anchor=north, inner sep=10px, text=guixdarkgrey] {
\url{https://doi.org/10.22152/programming-journal.org/2023/7/1}
};
\end{tikzpicture}
\end{frame}
\setbeamercolor{normal text}{bg=guixblue1}
\begin{frame}[plain, fragile]
\LARGE{\textbf{Unified deployment toolbox vs. patchwork}}
\\[7mm]
\Large{
\begin{itemize}
\item \highlight{end-to-end integration} vs. ``artifact flow''
\item \highlight{verifiability} vs. attestation
\item \highlight{commit graph} vs. version strings
%% \item \highlight{commit IDs} vs. SBOMs as name/version pairs
\item ...
\end{itemize}
}
\end{frame}
\setbeamercolor{normal text}{bg=white}
\begin{frame}[fragile, plain]
\begin{tikzpicture}[overlay]
\node [at=(current page.center), text=black, text
width=0.8\textwidth, align=flush left] {
\Huge{From source code\\ to deployed binaries:\\
\textbf{provenance tracking\\ \& verifiability are the key.} \par}
};
\end{tikzpicture}
\end{frame}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\setbeamercolor{normal text}{bg=black}
\begin{frame}[plain]
\vfill{
\vspace{1.5cm}
\center{\includegraphics[width=0.3\textwidth]{images/Guix-white}}\\[1.0cm]
{\alert{\url{https://guix.gnu.org/}}}\hfill{
\texttt{ludo@gnu.org |} @civodul@toot.aquilenet.fr}
}
\end{frame}
\setbeamercolor{normal text}{bg=guixred2}
\begin{frame}
\Huge{\textbf{Bonus slides!}}
\end{frame}
\setbeamercolor{normal text}{bg=guixgrey}
\begin{frame}[fragile]
\LARGE\textbf{Reproducible environments: 2 files, 2 commands}
\\[2cm]
\LARGE{
\begin{enumerate}
\item \texttt{guix describe -f channels > \highlight{channels.scm}}
\item{ \begin{semiverbatim}
guix time-machine -C \highlight{channels.scm} -- \\
shell -m \highlight{manifest.scm}
\end{semiverbatim}}
\end{enumerate}
}
\end{frame}
\setbeamercolor{normal text}{bg=black}
\begin{frame}{}
\begin{textblock}{12}(2, 5)
\tiny{
Copyright \copyright{} 2012--2023 Ludovic Courtès \texttt{ludo@gnu.org}.\\[3.0mm]
GNU Guix logo by Luis Felipe, CC-BY-SA 4.0,
\url{https://guix.gnu.org/en/graphics/}. \\
Reproducible Builds logo under CC-BY 3.0,
\url{https://uracreative.github.io/reproducible-builds-styleguide/visuals/}. \\
Bootstrappable Builds logo by Ricardo Wurmus,
\url{https://bootstrappable.org}.
\\[1.5mm]
Picture of silver seal by Cicerellus, CC-BY-SA 4.0,
\url{https://commons.wikimedia.org/wiki/File:Sigillo_in_argento_famiglia_Ciciarelli_de_Cicerello.jpg}.
\\
Picture of Guix birthday cake by Christopher Baines, CC0,
\url{https://10years.guix.gnu.org/photos}.
\\
Picture of letter with wax seals by Arno-nl, CC-BY-SA 3.0,
\url{https://commons.wikimedia.org/wiki/File:1951_Switzerland_-_Luzerner_Landbank_Grosswangen_seals.jpg}.
\\
Waving hand by webalys, CC-BY-SA 4.0,
\url{https://commons.wikimedia.org/wiki/File:383-waving-hand-1.svg}.
\\[1.5mm]
Copyright of other images included in this document is held by
their respective owners.
\\[3.0mm]
This work is licensed under the \alert{Creative Commons
Attribution-Share Alike 3.0} License. To view a copy of this
license, visit
\url{https://creativecommons.org/licenses/by-sa/3.0/} or send a
letter to Creative Commons, 171 Second Street, Suite 300, San
Francisco, California, 94105, USA.
\\[2.0mm]
At your option, you may instead copy, distribute and/or modify
this document under the terms of the \alert{GNU Free Documentation
License, Version 1.3 or any later version} published by the Free
Software Foundation; with no Invariant Sections, no Front-Cover
Texts, and no Back-Cover Texts. A copy of the license is
available at \url{https://www.gnu.org/licenses/gfdl.html}.
\\[2.0mm]
% Give a link to the 'Transparent Copy', as per Section 3 of the GFDL.
The source of this document is available from
\url{https://git.sv.gnu.org/cgit/guix/maintenance.git}.
}
\end{textblock}
\end{frame}
\end{document}
% Local Variables:
% coding: utf-8
% comment-start: "%"
% comment-end: ""
% ispell-local-dictionary: "francais"
% compile-command: "guix shell -m ../beamer-manifest.scm -- rubber --pdf talk.tex"
% End:
%% LocalWords: Reproducibility