Introduction

We've achieved technological symbiosis - for the majority of people our devices are digital extensions of our minds, and when something has that level of information about us - it needs to be secure while being understandable.

Computers require integrity and infrastructure needs resilience. Most critical infrastructure is computerised, scenarios like this are where the stakes are highest. For our systems to be integral and resilient requires two things:

• All-encompassing control of what software is present
• The ability to audit and verify that software is what it says on the tin

Challenges in Software Integrity and Security

There’s a library for this, another for that - developing software is becoming more modular! But we’ve hit a bottleneck in how we ship it.

Packaging formats proliferate, and neither building nor distributing software to end-users is easy anymore. Greater numbers of components going into any software build process only makes this more complicated. Utilisation of shared libraries during deployment also results in complexity and the balkanisation of packaging systems and distros alike, where despite the best of intentions, no one can share their work or ship their products without repackaging.

It’s time to revist some basics. Can we share more with less, by utilising simpler formats? Can we manage things more consistently, by building a solid general foundation? Can we go beyond blind trust in version numbers, establishing truth and precision, all while reducing the wrangling of chaotic dependency chains and breaking free from shipping entire systems?

We hope so. Introducing Warpforge.

Warpforge addresses the proliferation of tool and format challenges by attaching simple filesystem snapshots and transport to a decentralised package database API, integrating this with containers for execution of builds and test environments. Warpforge uses content addressing throughout these systems to make them precise, and secure.

Together, these systems increase transparency, reliability, and explainability. They enable developers to have better control over their software supply chain, leading to more robust and secure software development practices.

The Vision of Warpforge

By establishing truth through hash trees, and making them easy to use in hermetic (containerised) environments, we can create an environment providing:
- Supply chain security, everywhere
- True reproducibility for software builds
- Increased portability of software
- Enabling rapid forking and building of software
- Making dependency trees portable
- Reducing the impact of poor network availability on build ability

As part of this, to make it easier to compose systems of more easily isolated packages, we introduce a major overhaul to how our packages approach dynamic linking, in the form of Zapps: gloriously robust, and the secret ingredient to making Warpforge workable & appealing.

By being language and toolchain agnostic, we can bring these benefits to the masses, all while doing our bit to achieve parity across languages and toolchains, lowering the bar to entry and making mass-adoption easier all around.