Over $10 Million donated for Supply Chain Security - An opertunity for growth and adoption

TLDR:

  • Supply Chain Security has reached critical mind-share
  • Nix solves or can solve many Supply Chain Security problems
  • The nix community has broad knowledge going back over 10 years that can really impact the direction of discussion around dependencies and reproducibility etc
  • Where is nix’s funding tho?.. /s
    • But seriously, we need to consider why nix isn’t receiving funding and how we can fix that
  • This is a massive opportunity for nix growth among users and the industry, and for funding to both the nix projects and individuals
    • Getting involved = Getting nix funding
    • Getting involved = Getting nix adoption

It would suck for big industry to waltz up and trample on the awesome work done by the nix community over such long period. Now is when the nix community can make it’s mark and display it’s hard work; delay and the opportunity will pass us by.

This is also a general plea to the community to express interest when people reach out an olive branch. There was an opportunity to be put forward for a pro-bono security audit but it received very little response. People will eventually stop bothering to reach out, which would suck.

And just to clarify I’m not suggesting nix become corporate, just seeing wider usage and appreciation for the work done around nix would be great.

If any of that sounds good please read the whole post


Supply Chain Security is all about understanding all of your software dependencies from top to bottom.

You may have noticed nix (and it’s associated projects) have been tackling this for over 10 years!

There is a massive increase in interest around Supply Chain Security in industry due to massive compromises month after month. As the title states, there’s $10 million donated to the Open Source Security Foundation in the first year alone

Supply-chain Levels for Software Artifacts or SLSA is a framework for Supply Chain Security, currently in development.

It’s not perfect but that’s exactly why it’s important we get involved. This is the opportunity for the lessons from nix to help SLSA avoid pitfalls.

@mlieberman85 is the chief architect of that CNCF secure supply chain project and on the board for SLSA and joshuagl/Joshua Lock from VMWare who’s also doing a lot of work on SLSA and interested in Nix.
We have opened an unofficial Nix + SLSA matrix channel to discuss the topic of SLSA, how nix fits in, and what issues SLSA has etc (e.g. I think reproducibility is a lot more important than just a suggested requirement at the highest “SLSA level”)

To get involved read the get involved page and/or follow the GitHub issues that power the development of the framework


Google has committed $10 billion (with a B) to cyber security, $100 million of that “to support third-party foundations that manage open source security priorities and help fix vulnerabilities”

$1 million has gone to the Linux Foundation for the Secure Open Source Rewards program offering funding to people who implement security improvements such as SLSA
https://sos.dev/

Reward amounts are determined based on complexity and impact of work:

Amount Nature of improvement
$10,000 or more Complicated, high-impact and lasting improvements that almost certainly prevent major vulnerabilities in the affected code or supporting infrastructure.
$5,000-$10,000 Moderately complex improvements that offer compelling security benefits.
$1,000-$5,000 Submissions of modest complexity and impact.
$505 Small improvements that nevertheless have merit from a security standpoint.

If you’re interested in supply chain and want to learn more also check out the Supply Chain Security Con that was a pre-day, it featured talks from @mlieberman85 (who’s demo repo has some nix in GitHub - mlieberman85/supply-chain-examples) and joshuagl among others
SupplyChainSecurityCon North America | LF Events

The talks should make it to Youtube in time if you don’t have a ticket, courtesy of the Session Recording sponsor/my employer ControlPlane

Also join the nix + slsa matrix channel above :slight_smile:

18 Likes

Also see how in the OWASP Top 10 “Using components with known vulnerabilities” increased its position in the ranking and how an entire new position was given to “Software and data integrity failures” (supply chain attacks)

In the modern world a supply chain attack is more likely to get you hacked than a SSRF, and having outdated components is more likely to get you hacked than even an authentication failure!

2 Likes

I hope that digging an old thread while remaining on topic is adequate. It is one of the rare ones on this topic.

Has the SLSA v1.0 (published in April 2023) compliance of Nix been assessed and/or documented? Such a piece of information would be useful to me, but I was not able to find anything concrete. Thanks in advance.

Related: SLSA v1.0 assessment · Issue #1 · tomberek/slsa-demo · GitHub

1 Like

I am working on SLSA (somewhat) and will be happy to help review if Nix will go that way.

2 Likes

I had done some presentations of Nix to the SLSA working group a while back and provided some recommendations. I think that the group really should have considered even higher levels of compliance into lvl5 and 6, but I don’t think that happened. Technically, Nix is easily compliant. The remaining issues are policy related - most notable is the two-person review requirement in lvl 4. This is not strictly performed in Nixpkgs, but it has been discussed and can be done internal to an organization as needed.

… wait, did they remove level 4? Hrm. Perhaps enough has changed that we should just go through the motions and check off the various requirements.

3 Likes

I’m really happy to see this thread getting attention again and I appreciate the comments so far!

Yep. Level 4 was axed quite a while ago.
Reproducible builds and hermetic builds are barely mentioned at the moment because it’s a very hard problem, especially if you’re not taking a nix style approach to packaging.
Just getting provenance to be useful and getting things right there is hard enough I guess. Personally I’d prefer reproducibility then provenance stuff but when it comes to commercial/proprietary software provenance (and other statements) and audits is all you can really go off.

I’ve been very busy with some other work stuff so I’ve sadly not given this as much focus as I would like.

I did do a talk at OpenSSF Day Japan around Supply Chain Security, integrating sigstore tooling into another ecosystem (nix), and a short section on what even is the difference between a build definition and a pipeline definition.

I don’t believe it was recorded but that’s a bit of a blessing for myself as I think I tried to squash too much into the time :upside_down_face:. (A great learning experience overall and I’m looking to improve my future presentations!)

The slides are included on the sched link. I still need to play with the POC (It generates provenance and identifies container outputs, pushes them to a registry, signs them, similar to how tekton-chains works) and get it in a public repo.

3 Likes