For anyone that wants dead simple LFS style, full source bootstrapped, deterministic, multi-party compiled/signed container native images with hash pinning for your entire dependency graph, that will be free forever, check out stagex.

None of the alternatives come anywhere close to what we needed to satisfy a threat model that trusts no single maintainer or computer, so we started over from actually zero.

https://stagex.tools

▲

chuckadams 4 days ago | parent [-]

I checked out stagex and hit `make`, and after the delightful initial bootstrap phase, I sat for hours watching eleventy thousand attempts to download gnulib (and many other gnu packages) time out and fail. Is there perhaps a tarball or other image available that collects all these packages together? Seems it would only add up to as much as the source packages of a small Linux distribution.

I've also noticed it's downloading many different versions of the same set of packages, which seems odd for bootstrapping a build. I finally lost patience and stopped it. Sure, in the real world I'll probably start from a stage3 container, but so far, trying it out for myself has been pretty disappointing.

	▲	lrvick 4 days ago \| parent [-]
		If we put out our own tar of all the sources, who is to say we did not tamper with them? This is a bit of a lose/lose but we have a solution we are working on with other distros to have a shared repository for all these, often legacy, sources and a universal swhid identifier for each one we can pin in stagex so they are highly tamper evident. For shorter term we are starting to archive at archive.org and CERN and hope to have the fetch script be able to fail over to those soon. The GNU servers are the worst, and unreliable for hours at a time, and have lots of rate limiting. At the moment collecting all the sources directly from upstreams, while great for trust building, is the biggest pain point. Sorry about that! For the super short term join #stagex:matrix.org and anyone would be happy to wormhole you their "fetch" directory.