You can get a sense of what my team and I do from

lrvick • yesterday at 11:00 AM • 1 reply • view on HN

You can get a sense of what my team and I do from https://distrust.co/threatmodel.html

For information on stagex and how we do signed deterministic compiles across independently operated hardware see https://stagex.tools

Stagex is used by governments, fintech, blockchains, AI companies, and critical infrastructure all over the internet, so our threat model must assume at least one computer or maintainer is compromised at all times and not trust any third party compiled code in the entire supply chain.

Replies

salawat • today at 12:06 AM

Nice! I'd thought about doing something similar, but never went so far as to get where y'all are at! I got about to an LFS distro that I was in the process of picking apart GCC to see if I could get the thing verifiable. Can't say as I'm fond of the container first architecture, but I understand why you did it, and my old fartness aside, keep up the good work! Now I have another project to keep an eye on. And at least 4 other people other than me that take supply chain risk seriously! Yay!

alt Hacker News

Replies