Hermit launches linux x86_64 programs in a special, hermetically isolated sandbox to control their execution. Hermit translates normal, nondeterministic behavior, into deterministic, repeatable behavior. This can be used for various applications, including replay-debugging, reproducible artifacts, chaos mode concurrency testing and bug analysis.
Other
1.17k
stars
31
forks
source link
feat: Producing SLSA provenance for reproducible builds using Hermit #39
Hey! This is more of a request for a colaboration. Our team works on creating tools for SLSA provenance (SLSA is a project aimed at improving software supply chain integrity by producing verifiable provenance about the origin of the software and integrating it inside the software delivery pipeline).
We've been developing a container based provenance GitHub workflow that is able to produce verifiable and non-forgeable provenance for a build that uses a container base image and a specified script/command to run. This work is being done to support Project Oak's transparent release -- which aims to enhance remote attestations in TEEs with transparent, verifiable binary provenance.
The workflow creates provenance that is isolated from both the user and the build process, in order to produce provenance that could not have been manipulated (assuming trust in the workflow). The provenance record contains information needed for a verifier to reproduce the build -- and we have developed tools to support reproducibility.
Using Hermit inside a base image to create the build would hopefully provide a fully deterministic build.
Feature purpose and use cases
We'd like to demo or showcase the usage of Hermit inside a base image to produce a fully deterministic build output with verifiable build provenance.
We're wondering if (1) you have considered build provenance, and (2) if you would be interested in demonstrating usage of these tools together for demos and example.
Feature Description
Hey! This is more of a request for a colaboration. Our team works on creating tools for SLSA provenance (SLSA is a project aimed at improving software supply chain integrity by producing verifiable provenance about the origin of the software and integrating it inside the software delivery pipeline).
We've been developing a container based provenance GitHub workflow that is able to produce verifiable and non-forgeable provenance for a build that uses a container base image and a specified script/command to run. This work is being done to support Project Oak's transparent release -- which aims to enhance remote attestations in TEEs with transparent, verifiable binary provenance.
The workflow creates provenance that is isolated from both the user and the build process, in order to produce provenance that could not have been manipulated (assuming trust in the workflow). The provenance record contains information needed for a verifier to reproduce the build -- and we have developed tools to support reproducibility.
Using Hermit inside a base image to create the build would hopefully provide a fully deterministic build.
Feature purpose and use cases We'd like to demo or showcase the usage of Hermit inside a base image to produce a fully deterministic build output with verifiable build provenance.
We're wondering if (1) you have considered build provenance, and (2) if you would be interested in demonstrating usage of these tools together for demos and example.
cc @rbehjati @laurentsimon