Container Native

  • OCI packaging standard instead of yet another package manager
  • Every "package" is just an OCI Layer
  • Easily lock any combination of build dependencies to sha256 hashes
  • Build your project Containerfile with any OCI compatible runtime you want
FROM stagex/pallet-gcc

COPY <<-EOF hello.c
  #include <stdio.h>
  int main() {
    printf("Hello, World!");
    return 0;
  }
EOF

RUN ["/usr/bin/gcc","hello.c"]

$ curl -s https://codeberg.org/stagex/stagex/raw/branch/main/packages/bootstrap/stage0/hex0-seed | hexdump

> 457f 464c 0101 0301 0000 0000 0000 0000
  0002 0003 0001 0000 804c 0804 002c 0000
  0000 0000 0000 0000 0034 0020 0001 0000
  0000 0000 8000 0804 8000 0804 00b5 0000
  00b5 0000 0001 0000 0001 0000 5b58 315b
  6ac9 5805 cd99 5b80 6650 41b9 6602 c0ba
  6a01 5805 80cd 4299 3197 89ed 4ed6 895b
  6ae1 5803 80cd 8553 75c0 4005 db31 80cd
  018a 0a3c e574 f685 e475 233c df74 3b3c
  db74 302c 0a2c 0872 072c df24 073c ce73
  e5c1 0404 010a f7c5 7cdf 89c3 8929 b0fb
  cd04 eb80 00b4

Full Source Bootstrapped

  • Built from -zero- so we are not inheriting trust from third party binaries
  • stage0: < 190 byte x86 assembly seed is reproduced on multiple distros
  • stage1: seed builds up to a tiny c compiler, and ultimately x86 gcc
  • stage2: x86 gcc bootstraps target architecture cross toolchains
  • stage3: cross toolchains build minimal native toolchain
  • stagex: bootstrap native/cross toolchains for every major programming language

Reproducible

  • Accountability to protect against any compromised or malicious maintainer
  • Build this repository and get the same hashes we do for every package
  • Be able to build this release at any point in the future
  • Zero non-reproducible third party binaries (like most alternatives)
  • Built for package locking so you can reproduce your own softWare easily
$ make
$ git diff digests/*.txt
$ gpg --recv-keys \
E106781E007AB91C989DB33244A86CFF1FDF0E85 \
67553FBDA46BB71ABD2E0B0B8E47A1EC35A1551D \
9EE89EDEA66373DF465A4A09E1F4160251DB4C2E \
88823A75ECAA786B0FF38B148E401478A3FBEF72

$ find \
    sig*/**/*stage3*43f0f*/* \
    -exec gpg -qd {} 2>&1 ; \
  | grep Good \
  | cut -d\  -f5-

>"Ryan Heywood <ryan@distrust.co>" [ultimate]
 "Daniel Grove <danny@drgrovellc.com>" [ultimate]
 "Lance Vick <lance@distrust.co>" [ultimate]
 "Anton Livaja <anton@distrust.co>" [ultimate]

Multi-Signed

  • Every commit is signed by the author
  • Every merge is signed by the reviewer
  • Every artifact is signed by multiple maintainers
  • Sign with well known hardware backed PGP keys
  • Sign with OCI container signing standard
  • Native multisig validation in containerd

Free and Open Source Software

  • Unlike paid corporate options, this is free forever.
  • We will never charge you for images or code
  • Get free help from the community at any time
  • ISC Licensed: Do whatever you want (but please consider crediting us!)
Open Source Initiative Logo

Funding

Donate to our collective instead of forced subscriptions. Take the Open Source Pledge with tax deductable donation. We offer priority support to paying sponsors

Donate