[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

12/66: ccs-2021: Add abstract and tweak intro.

From: Ludovic Courtès
Subject: 12/66: ccs-2021: Add abstract and tweak intro.
Date: Wed, 29 Jun 2022 11:31:58 -0400 (EDT)

civodul pushed a commit to branch master
in repository maintenance.

commit 247e1ed4c14ce86e0f61001d95197562016142be
Author: Ludovic Courtès <>
AuthorDate: Mon May 3 15:10:22 2021 +0200

    ccs-2021: Add abstract and tweak intro.
 doc/ccs-2021/security.sbib    | 10 ++++++++++
 doc/ccs-2021/supply-chain.skb | 37 +++++++++++++++++++++++++++++++++----
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/doc/ccs-2021/security.sbib b/doc/ccs-2021/security.sbib
index 4f432a1..3b9f57b 100644
--- a/doc/ccs-2021/security.sbib
+++ b/doc/ccs-2021/security.sbib
@@ -63,6 +63,16 @@
 (publisher "USENIX Association")
 (month "Aug"))
+(article hinsen2020:staged-computation
+  (author "Konrad Hinsen")
+  (journal "Computing in Science Engineering")
+  (title "Staged Computation: The Technique You Did Not Know You Were Using")
+  (year "2020")
+  (volume "22")
+  (number "4")
+  (pages "99--103")
+  (url "";))
 (misc janneke:mes-web
   (title "GNU Mes web site")
   (author "Jan Nieuwenhuizen")
diff --git a/doc/ccs-2021/supply-chain.skb b/doc/ccs-2021/supply-chain.skb
index 7e7174b..4625c3a 100644
--- a/doc/ccs-2021/supply-chain.skb
+++ b/doc/ccs-2021/supply-chain.skb
@@ -165,19 +165,37 @@
 (bibliography "security.sbib")
-(document :title [Secure Software Supply Chain with GNU Guix]
+(document :title [Building a Secure Software Supply Chain with GNU Guix]
 ;;   :author (list (author :name "Ludovic Courtès"
 ;;                 :affiliation "Inria"
 ;;                 :address (list "Bordeaux, France")))
-     (p [GNU Guix blah blah FIXME.]))
+     (p [The ,(emph [software supply chain]) is becoming a widespread
+analogy to designate the series of steps taken to go from source code
+published by developers to executables running on the users’ computers.
+A security vulnerability in any of these steps puts users at risk, and
+evidence shows that attacks on the supply chain are becoming more
+     (p [GNU Guix is a software deployment tool that supports provenance
+tracking, reproducible builds, and reproducible software environments.
+Guix is first and foremost source code: it provides a set of package
+definitions that describe how to build code from source.  Together,
+these properties set it apart from many deployment tools that center on
+the distribution of binaries.])
+     (p [This paper focuses on the security of updates with Guix.  Guix
+source code is distributed using the Git version control system.  Our
+main contribution is a model and tool to authenticate new Git revisions.
+We further show how, building on Git semantics, we build protections
+against downgrade attacks and related threats.  We explain
+implementation choices and report on our experience since the mechanism
+entered production use.]))
    ;; See <>.
    (!latex "\\input{categories.tex}\n")
-   (acm-keywords [Software deployment, Git, ])
+   (acm-keywords [Software deployment, Security, Git])
    (!latex "\\maketitle\n")
@@ -196,7 +214,7 @@ and every upgrade can put users at risk.])
       (p [GNU Guix is a set of software deployment tools and a
 standalone GNU/Linux distribution; it includes a package manager similar
 in spirit to Debian’s apt or Fedora’s yum.  Unlike those, Guix builds
-upon the ,(emph [functional deployment model]) pioneered by Nix,(ref
+upon the ,(emph [functional deployment model]) pioneered by Nix ,(ref
 :bib "dolstra2004:nix"), a foundation for reproducible deployment,
 reproducible builds, and provenance tracking.  Guix is essentially a
 “source-based” deployment tools: the ,(emph [model]) is that of a system
@@ -243,6 +261,17 @@ different hash.  Thus, each store file name uniquely 
identifies build
 results.  This model is the foundation of ,(emph [end-to-end provenance
 tracking]): Guix records and uniquely identifies the inputs leading to
 build results available in ,(tt [/gnu/store]).])
+      (p [Providing more than 17,000 software packages today, Guix is
+used as a general purpose day-to-day GNU/Linux distribution that
+provides the additional safety net of ,(emph [transactional upgrades and
+rollbacks]): because build results are kept in the store by default, any
+new deployment, of individual packages or whole systems, can be rolled
+back ,(ref :bib '(dolstra2004:nix courtes2013:functional)).  Its ability
+to reproduce software environments, bit for bit, at different points in
+time and on different machines, make it a tool of choice in support of
+reproducible computational experiments and software engineering ,(ref
+:bib 'hinsen2020:staged-computation).])
       (p [Guix, like Nix and unlike Debian or Fedora, is essentially a
 ,(emph [source-based distribution]): Guix package definitions describe
 how to build packages from source.  When running a command such as ,(tt

reply via email to

[Prev in Thread] Current Thread [Next in Thread]