QotNews
Hacker News, Reddit, Lobsters, and Tildes articles rendered in reader mode.

A Linux distribution designed to eliminate single points of failure

Source: stagex.tools
21 points by deejayy a day ago on lobsters | 12 comments

HOW IT COMPARES

How StageX compares

StageX Guix Debian Arch Nix Yocto Buildroot Chimera Alpine Fedora
Trust model Decentralized: No single system or individual is trusted
Centralized: One single system or individual is trusted
Distributed: All members of a system or organization are trusted 		Decentralized Distributed Distributed Distributed Centralized Centralized Centralized Centralized Centralized Centralized
OCI OCI (Open Container Initiative) defines standard formats and runtimes for containers.

Native: OCI layers serve as the native package management system
Exported: Can export OCI images from a non-OCI build system
Published: Provides officially published OCI images

Native Exported Published Published Exported Exported Exported Published Published Published
Language Domain‑specific language used for package build definitions. Containerfile Custom Custom Shell Custom Custom Makefile Python Shell Custom
Bootstrapped Can the entire distro be full-source bootsrapped from Stage0? Yes Yes No No Partial No No No No No
Reproducible Is the entire distro reproducible bit-for-bit identically? Yes Mostly Mostly Mostly Mostly No No No No No
Toolchain base LLVM GNU GNU GNU GNU GNU GNU LLVM GNU GNU
C standard library musl glibc glibc glibc glibc glibc glibc musl musl glibc
Memory allocator mallocng glibc glibc glibc glibc glibc glibc mimalloc mallocng glibc
StageX Guix Debian Arch Nix Yocto Buildroot Chimera Alpine Fedora
Trust model Decentralized: No single system or individual is trusted
Centralized: One single system or individual is trusted
Distributed: All members of a system or organization are trusted 		Decentralized Distributed Distributed Distributed Centralized Centralized Centralized Centralized Centralized Centralized
OCI OCI (Open Container Initiative) defines standard formats and runtimes for containers.

Native: OCI layers serve as the native package management system
Exported: Can export OCI images from a non-OCI build system
Published: Provides officially published OCI images

Native Exported Published Published Exported Exported Exported Published Published Published
Language Domain‑specific language used for package build definitions. Containerfile Custom Custom Shell Custom Custom Makefile Python Shell Custom
Bootstrapped Can the entire distro be full-source bootsrapped from Stage0? Yes Yes No No Partial No No No No No
Reproducible Is the entire distro reproducible bit-for-bit identically? Yes Mostly Mostly Mostly Mostly No No No No No
Toolchain base LLVM GNU GNU GNU GNU GNU GNU LLVM GNU GNU
C standard library musl glibc glibc glibc glibc glibc glibc musl musl glibc
Memory allocator mallocng glibc glibc glibc glibc glibc glibc mimalloc mallocng glibc

Features

Built for verifiable infrastructure

$ curl -s https://codeberg.org/stagex/stagex/raw/branch/main/packages/bootstrap/stage0/hex0-seed | hexdump

> 457f 464c 0101 0301 0000 0000 0000 0000
  0002 0003 0001 0000 804c 0804 002c 0000
  0000 0000 0000 0000 0034 0020 0001 0000
  0000 0000 8000 0804 8000 0804 00b5 0000
  00b5 0000 0001 0000 0001 0000 5b58 315b
  6ac9 5805 cd99 5b80 6650 41b9 6602 c0ba
  6a01 5805 80cd 4299 3197 89ed 4ed6 895b
  6ae1 5803 80cd 8553 75c0 4005 db31 80cd
  018a 0a3c e574 f685 e475 233c df74 3b3c
  db74 302c 0a2c 0872 072c df24 073c ce73
  e5c1 0404 010a f7c5 7cdf 89c3 8929 b0fb
  cd04 eb80 00b4

Full-source bootstrapped

StageX is bootstrapped entirely from source, so nothing depends on unverified binaries. Only fully bootstrappable software, including programming languages, is allowed.

  • A <190-byte x86 assembly seed reproduced across multiple distros.
  • The seed builds up to a tiny C compiler and ultimately x86 GCC.
  • x86 GCC bootstraps cross-toolchains for target architectures.
  • Cross-toolchains build a minimal native toolchain.
  • Bootstrap native / cross toolchains for every major programming language.

Reproducible

Every build in StageX can be verified. If the hashes differ, something changed, and you'll know.

  • Build this repository and get the same hashes we do for every package.
  • Rebuild any release at any time and get identical results.
  • Protect against compromised or malicious maintainers.
  • Zero non-reproducible third-party binaries.
  • Package locking for effortless reproducibility in your own projects.
$ make
$ git diff digests/*.txt
$ gpg --recv-keys \
E106781E007AB91C989DB33244A86CFF1FDF0E85 \
67553FBDA46BB71ABD2E0B0B8E47A1EC35A1551D \
9EE89EDEA66373DF465A4A09E1F4160251DB4C2E \
88823A75ECAA786B0FF38B148E401478A3FBEF72

$ find \
    sig*/**/*stage3*43f0f*/* \
    -exec gpg -qd {} 2>&1 ; \
  | grep Good \
  | cut -d\  -f5-

>"Ryan Heywood <ryan@distrust.co>" [ultimate]
 "Daniel Grove <danny@drgrovellc.com>" [ultimate]
 "Lance Vick <lance@distrust.co>" [ultimate]
 "Anton Livaja <anton@distrust.co>" [ultimate]

Multi-signed

Distributed trust, cryptographically enforced. Every change and artifact in StageX is independently attested.

  • Every commit is signed by its author.
  • Every merge is signed by a reviewer.
  • Every artifact is signed by multiple maintainers.
  • All signatures use hardware-backed PGP keys.
  • Signatures follow the OCI container-signing standard.
  • Native multi-sig validation in containerd.

Container-native

Built on Open Container Initiative (OCI) standards for seamless integration with your existing workflows.

  • StageX uses the OCI packaging standard instead of yet another custom manager.
  • Every "package" is an OCI layer.
  • Easily lock any combination of build dependencies to SHA-256 hashes.
  • Build your project's Containerfile with any OCI-compatible runtime you prefer.
FROM stagex/pallet-gcc

COPY <<-EOF hello.c
  #include <stdio.h>
  int main() {
    printf("Hello, World!");
    return 0;
  }
EOF

RUN ["/usr/bin/gcc","hello.c"]

FREE FOREVER

Unlike paid corporate options, StageX is open source forever. Every build and line of code is public, reproducible, and licensed under ISC. Credit is appreciated.

Use, modify, share

Fully auditable

Community support

ISC Licensed