Even after reading about it its not totally clear to me how Wolfi linux is more resistant to supply chain attacks than other distros (even though they say they are not a distro). Is it that its so minimal that they can do code review for the few packages since it has so few packages?
I kinda assume that the Qubes devs are all over dom0 and the vulnerabilities in the template/app vms is less of an issue but still wanted to ask if there were any ideas that could be cherry picked from that project?
As far as I understand wolfi is just an minimal environment for the container. If you want a container for building something with gcc you download wolfi image with gcc and compiling. It is shipped only with gcc and some necessary packages. Thats the idea. You building your software in containers that has only the tools you need so your soft is less vulnerable for supply chain attacks then when build in container based on ubuntu.
Thanks. So much of the security is the fact that the code base is so small? Or is there something about containers specifically that make it less vulnerable?
I think both. The Images are extremely small and designed with security in mind. I’m curious what hard (and secure) it is to install some not common tools on wolfi image. Since build systems often relays on some proprietary tools.
Similar in Qubes would be cloning a minimal template, installing
the minimal tools needed for your task, and working in a disposable from
that template.