ryan-distrust.co/stagex
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

README: Split containerized into OCI support and package strategy

Browse source
This commit is contained in:
ryan 2024-09-24 02:09:21 -04:00
parent 845b74873e
commit b064b12625
No known key found for this signature in database
GPG key ID: 8E401478A3FBEF72
1 changed files with 23 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
README.md
View file

@ -178,20 +178,30 @@ seminal paper by Ken Thomson, [Reflections on Trusting Trust](https://www.cs.cmu
A comparison of `stagex` to other distros in some of the areas we care about:
| Distro | Containerized | Signatures | Libc | Bootstrapped | Reproducible | Rust Deps |
|--------|---------------|------------|-------|--------------|---------------|-----------|
| Stagex | Native | 2+ Human | Musl | Yes | Yes | 9 |
| Guix | No | 1 Human | Glibc | Yes | Partial (90%) | 4 (Unconfirmed) |
| Nix | No | 1 Bot | Glibc | Partial | Partial (95%) | 25 |
| Debian | Adapted | 1 Human | Glibc | No | Partial (96%) | 231 |
| Arch | Adapted | 1 Human | Glibc | No | Partial (90%) | 127 |
| Fedora | Adapted | 1 Bot | Glibc | No | No | 167 |
| Alpine | Adapted | None | Musl | No | No | 41 |
| Distro | OCI Support | Package Strategy | Signatures | Libc | Bootstrapped | Reproducible | Rust Deps |
|--------|-------------|------------------|------------|-------|--------------|---------------|-----------|
| Stagex | Native | External | 2+ Human | Musl | Yes | Yes | 9 |
| Guix | Exported | External | 1 Human | Glibc | Yes | Partial (90%) | 4 (Unconfirmed) |
| Nix | Exported | External | 1 Bot | Glibc | Partial | Partial (95%) | 25 |
| Debian | Published | Inline | 1 Human | Glibc | No | Partial (96%) | 231 |
| Arch | Published | Inline | 1 Human | Glibc | No | Partial (90%) | 127 |
| Fedora | Published | Inline | 1 Bot | Glibc | No | No | 167 |
| Alpine | Published | Inline | None | Musl | No | No | 41 |
### Notes
- “Bootstrapped”: Can the entire distro be full-source-bootstrapped from Stage0
- “Reproducible”: Is the entire distro reproducible bit-for-bit identically
- "OCI Support": Whether a distro is natively based around the composability
and layering of Containerfiles ("native"), can be used to create an OCI
or Docker container from its own package manager ("exported"), or has images
published that can be used as the base for a Containerfile ("published").
- "Package Strategy": Whether a distro separates the installation of software
packages from the context assigned to building them
- In StageX, Guix, and Nix, package management is declarative, and can be
performed without a package manager in an execution context.
- In Debian, Arch, Fedora, and Alpine, package managers are invokable
command-line tools, with no native declarative management system.
- "Bootstrapped": Can the entire distro be full-source-bootstrapped from Stage0
- "Reproducible": Is the entire distro reproducible bit-for-bit identically
- Statistics have been pulled from https://reproducible-builds.org/citests/
- The statistic we care about the most is the distribution as a whole,
meaning a combination of "core" packages as well as "extra" or
@ -201,7 +211,7 @@ A comparison of `stagex` to other distros in some of the areas we care about:
reproducible.
- Arch Linux is currently out of date; as such, metrics have been pulled
from their own site: https://reproducible.archlinux.org/
- “Rust Deps”: the number of total dependencies installed to use rustc
- "Rust Deps": the number of total dependencies installed to use rustc
- Rust is a worst case example for compiler deps and build complexity
- It is kind of a nightmare most distros skip
- See: [Guix documenting their process](https://guix.gnu.org/en/blog/2018/bootstrapping-rust/) (similar to ours)
@ -212,7 +222,7 @@ A comparison of `stagex` to other distros in some of the areas we care about:
- The numbers listed here were generated by installing Cargo on a Docker
Hub container of the distro in question, via the "rust-deps" scripts.
### Signatures
## Signatures
* Signatures are made by the PGP public keys in the "keys" directory
* Signatures are made by any tool that implements "[Container Signature Format](https://github.com/containers/image/blob/main/docs/containers-signature.5.md)"