README: Split containerized into OCI support and package strategy

README.md

@@ -178,30 +178,51 @@ seminal paper by Ken Thomson, [Reflections on Trusting Trust](https://www.cs.cmu
 
 A comparison of `stagex` to other distros in some of the areas we care about:
 
-| Distro | Containerized | Signatures | Libc  | Bootstrapped | Reproducible | Rust Deps |
-|--------|---------------|------------|-------|--------------|--------------|-----------|
-| Stagex | Native        | 2+ Human   | Musl  | Yes          | Yes          | 4         |
-| Guix   | No            | 1 Human    | Glibc | Yes          | Yes          | 4         |
-| Nix    | No            | 1 Bot      | Glibc | Partial      | Mostly       | 4         |
-| Debian | Adapted       | 1 Human    | Glibc | No           | Partial      | 232       |
-| Arch   | Adapted       | 1 Human    | Glibc | No           | Partial      | 262       |
-| Fedora | Adapted       | 1 Bot      | Glibc | No           | No           | 166       |
-| Alpine | Adapted       | None       | Musl  | No           | No           | 32        |
+| Distro | OCI Support | Package Strategy | Signatures | Libc  | Bootstrapped | Reproducible  | Rust Deps |
+|--------|-------------|------------------|------------|-------|--------------|---------------|-----------|
+| Stagex | Native      | External         | 2+ Human   | Musl  | Yes          | Yes           | 9         |
+| Guix   | Exported    | External         | 1 Human    | Glibc | Yes          | Partial (90%) | 4 (Unconfirmed) |
+| Nix    | Exported    | External         | 1 Bot      | Glibc | Partial      | Partial (95%) | 25        |
+| Debian | Published   | Inline           | 1 Human    | Glibc | No           | Partial (96%) | 231       |
+| Arch   | Published   | Inline           | 1 Human    | Glibc | No           | Partial (90%) | 127       |
+| Fedora | Published   | Inline           | 1 Bot      | Glibc | No           | No            | 167       |
+| Alpine | Published   | Inline           | None       | Musl  | No           | No            | 41        |
 
 ### Notes
 
-- “Bootstrapped”: Can the entire distro be full-source-bootstrapped from Stage0
-- “Reproducible”: Is the entire distro reproducible bit-for-bit identically
-- “Rust Deps”: the number of total dependencies installed to use rustc
+- "OCI Support": Whether a distro is natively based around the composability
+  and layering of Containerfiles ("native"), can be used to create an OCI
+  or Docker container from its own package manager ("exported"), or has images
+  published that can be used as the base for a Containerfile ("published").
+- "Package Strategy": Whether a distro separates the installation of software
+  packages from the context assigned to building them
+    - In StageX, Guix, and Nix, package management is declarative, and can be
+      performed without a package manager in an execution context.
+    - In Debian, Arch, Fedora, and Alpine, package managers are invokable
+      command-line tools, with no native declarative management system.
+- "Bootstrapped": Can the entire distro be full-source-bootstrapped from Stage0
+- "Reproducible": Is the entire distro reproducible bit-for-bit identically
+    - Statistics have been pulled from https://reproducible-builds.org/citests/
+    - The statistic we care about the most is the distribution as a whole,
+      meaning a combination of "core" packages as well as "extra" or
+      "community". Multiple architectures, however, are not yet considered.
+    - Fedora and Alpine were previously listed on the Reproducible Builds site,
+      but their entries have not been maintained, and as such are marked not
+      reproducible.
+    - Arch Linux is currently out of date; as such, metrics have been pulled
+      from their own site: https://reproducible.archlinux.org/
+- "Rust Deps": the number of total dependencies installed to use rustc
     - Rust is a worst case example for compiler deps and build complexity
         - It is kind of a nightmare most distros skip
         - See: [Guix documenting their process](https://guix.gnu.org/en/blog/2018/bootstrapping-rust/) (similar to ours)
-    - Nix, guix, and our distro get away with only 4 deps because:
-        - Rustc -does- need ~20 dependencies to build
-        - The final resulting rust builds can run standalone
-        - We only actually need musl libc, llvm, and gcc to build most projects
+    - Nix, guix, and our distro get away with small dependency counts because:
+        - Rustc _does_ need ~20 dependencies to build
+        - These distributions can reduce initial package constraints to only a
+          package manager and the required utilities
+    - The numbers listed here were generated by installing Cargo on a Docker
+      Hub container of the distro in question, via the "rust-deps" scripts.
 
-### Signatures
+## Signatures
 
 * Signatures are made by the PGP public keys in the "keys" directory
 * Signatures are made by any tool that implements "[Container Signature Format](https://github.com/containers/image/blob/main/docs/containers-signature.5.md)"

src/rust-deps-stats/Containerfile

@@ -0,0 +1,35 @@
+# NOTE: This script does not make use of heredocs to ensure it can be run on
+# as many systems as possible. This is in contrast to the StageX project, which
+# requires containerd and Docker 26+
+
+FROM debian:bookworm-slim AS debian-results
+RUN apt-get update && \
+	apt-get install -y cargo rustc && \
+	printf "DEPS (Debian): %s\n" $(dpkg --get-selections | wc -l) > /results.txt
+
+FROM archlinux:base AS archlinux-results
+RUN pacman -Syu --noconfirm rust && \
+	printf "DEPS (Arch Linux): %s\n" $(pacman -Q | wc -l) > /results.txt
+
+FROM fedora:40 AS fedora-results
+# Yum prints a header, even when called with --quiet
+RUN yum install -y cargo && \
+	printf "DEPS (Fedora): %s\n" $(yum list installed | tail -n +2 | wc -l) > /results.txt
+
+FROM alpine:3 AS alpine-results
+RUN apk add cargo && \
+	printf "DEPS (Alpine): %s\n" $(apk list --installed --quiet | wc -l) > /results.txt
+
+# NOTE: Nix does not specify a generic 2 or 2.24, meaning it may become
+# out-of-date and result in errors.
+FROM nixos/nix:2.24.7 AS nix-results
+RUN get_deps='nix-store -q --requisites $(dirname $(dirname $(which cargo)))' && \
+	printf "DEPS (Nix) %s\n" $(nix-shell -p cargo --run "$get_deps" | wc -l) > /results.txt
+
+FROM debian:bookworm-slim AS results
+COPY --from=debian-results /results.txt /results-debian.txt
+COPY --from=archlinux-results /results.txt /results-archlinux.txt
+COPY --from=fedora-results /results.txt /results-fedora.txt
+COPY --from=alpine-results /results.txt /results-alpine.txt
+COPY --from=nix-results /results.txt /results-nix.txt
+RUN cat /results-*.txt | tee /results-total.txt

src/rust-deps-stats/rust-deps.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+set -eu
+
+SCRIPTDIR="$(cd "$(dirname $0)"; pwd)"
+
+docker build -t stagex-comparison-results -f "$SCRIPTDIR/Containerfile" "$SCRIPTDIR"
+docker run --rm stagex-comparison-results cat /results-total.txt