HOW IT COMPARES
See why organizations are switching to StageX
| StageX | Guix | Debian | Arch | Nix | Yocto | Buildroot | Alpine | Fedora | |
|---|---|---|---|---|---|---|---|---|---|
|
Trust model
Decentralized: No single system or individual is trusted Centralized: One single system or individual is trusted Distributed: All members of a system or organization are trusted | Decentralized | Distributed | Distributed | Distributed | Centralized | Centralized | Centralized | Centralized | Centralized |
|
OCI
OCI (Open Container Initiative) defines standard formats and runtimes for containers. Native: OCI layers serve as the native package management system Exported: Can export OCI images from a non-OCI build system Published: Provides officially published OCI images | Native | Exported | Published | Published | Exported | Exported | Exported | Published | Published |
|
Packaging
Declarative: Declares the exact dependency chain at usage time Imperative: Selects dependencies for you at build time None: No packages; everything is built directly from source code | Declarative | Declarative | Imperative | Imperative | Declarative | None | None | Imperative | Imperative |
| Bootstrapped Can the entire distro be full-source bootsrapped from Stage0? | Yes | Yes | No | No | Partial | No | No | No | No |
| Reproducible Is the entire distro reproducible bit-for-bit identically? | Yes | Mostly | Mostly | Mostly | Mostly | No | No | No | No |
| StageX | Guix | Debian | Arch | Nix | Yocto | Buildroot | Alpine | Fedora | |
|---|---|---|---|---|---|---|---|---|---|
|
Trust model
Decentralized: No single system or individual is trusted Centralized: One single system or individual is trusted Distributed: All members of a system or organization are trusted | Decentralized | Distributed | Distributed | Distributed | Centralized | Centralized | Centralized | Centralized | Centralized |
|
OCI
OCI (Open Container Initiative) defines standard formats and runtimes for containers. Native: OCI layers serve as the native package management system Exported: Can export OCI images from a non-OCI build system Published: Provides officially published OCI images | Native | Exported | Published | Published | Exported | Exported | Exported | Published | Published |
|
Packaging
Declarative: Declares the exact dependency chain at usage time Imperative: Selects dependencies for you at build time None: No packages; everything is built directly from source code | Declarative | Declarative | Imperative | Imperative | Declarative | None | None | Imperative | Imperative |
| Bootstrapped Can the entire distro be full-source bootsrapped from Stage0? | Yes | Yes | No | No | Partial | No | No | No | No |
| Reproducible Is the entire distro reproducible bit-for-bit identically? | Yes | Mostly | Mostly | Mostly | Mostly | No | No | No | No |
Features
Built for verifiable infrastructure
$ curl -s https://codeberg.org/stagex/stagex/raw/branch/main/packages/bootstrap/stage0/hex0-seed | hexdump
> 457f 464c 0101 0301 0000 0000 0000 0000
0002 0003 0001 0000 804c 0804 002c 0000
0000 0000 0000 0000 0034 0020 0001 0000
0000 0000 8000 0804 8000 0804 00b5 0000
00b5 0000 0001 0000 0001 0000 5b58 315b
6ac9 5805 cd99 5b80 6650 41b9 6602 c0ba
6a01 5805 80cd 4299 3197 89ed 4ed6 895b
6ae1 5803 80cd 8553 75c0 4005 db31 80cd
018a 0a3c e574 f685 e475 233c df74 3b3c
db74 302c 0a2c 0872 072c df24 073c ce73
e5c1 0404 010a f7c5 7cdf 89c3 8929 b0fb
cd04 eb80 00b4
Full-source bootstrapped
StageX is bootstrapped entirely from source, so nothing depends on unverified binaries. Only fully bootstrappable software, including programming languages, is allowed.
- A <190-byte x86 assembly seed reproduced across multiple distros.
- The seed builds up to a tiny C compiler and ultimately x86 GCC.
- x86 GCC bootstraps cross-toolchains for target architectures.
- Cross-toolchains build a minimal native toolchain.
- Bootstrap native / cross toolchains for every major programming language.
Reproducible
Every build in StageX can be verified. If the hashes differ, something changed, and you'll know.
- Build this repository and get the same hashes we do for every package.
- Rebuild any release at any time and get identical results.
- Protect against compromised or malicious maintainers.
- Zero non-reproducible third-party binaries.
- Package locking for effortless reproducibility in your own projects.
$ make
$ git diff digests/*.txt$ gpg --recv-keys \
E106781E007AB91C989DB33244A86CFF1FDF0E85 \
67553FBDA46BB71ABD2E0B0B8E47A1EC35A1551D \
9EE89EDEA66373DF465A4A09E1F4160251DB4C2E \
88823A75ECAA786B0FF38B148E401478A3FBEF72
$ find \
sig*/**/*stage3*43f0f*/* \
-exec gpg -qd {} 2>&1 ; \
| grep Good \
| cut -d\ -f5-
>"Ryan Heywood <ryan@distrust.co>" [ultimate]
"Daniel Grove <danny@drgrovellc.com>" [ultimate]
"Lance Vick <lance@distrust.co>" [ultimate]
"Anton Livaja <anton@distrust.co>" [ultimate]Multi-signed
Distributed trust, cryptographically enforced. Every change and artifact in StageX is independently attested.
- Every commit is signed by its author.
- Every merge is signed by a reviewer.
- Every artifact is signed by multiple maintainers.
- All signatures use hardware-backed PGP keys.
- Signatures follow the OCI container-signing standard.
- Native multi-sig validation in containerd.
Container-native
Built on Open Container Initiative (OCI) standards for seamless integration with your existing workflows.
- StageX uses the OCI packaging standard instead of yet another custom manager.
- Every "package" is an OCI layer.
- Easily lock any combination of build dependencies to SHA-256 hashes.
- Build your project's Containerfile with any OCI-compatible runtime you prefer.
FROM stagex/pallet-gcc
COPY <<-EOF hello.c
#include <stdio.h>
int main() {
printf("Hello, World!");
return 0;
}
EOF
RUN ["/usr/bin/gcc","hello.c"]
COMMUNITY-BACKED
Funded in the open
StageX is sustained by community contributions and open source sponsors. It runs on shared support from individuals and organizations, not subscriptions.
Get paid support
Sponsors seeking long-term collaboration receive priority support and implementation assistance from select consulting companies. Companies directly sponsoring the development of StageX:
