sixos: a nix os without systemd (38c3)

Chaos Computer Club - recent audio-only feed

Indhold leveret af CCC media team. Alt podcastindhold inklusive episoder, grafik og podcastbeskrivelser uploades og leveres direkte af CCC media team eller deres podcastplatformspartner. Hvis du mener, at nogen bruger dit ophavsretligt beskyttede værk uden din tilladelse, kan du følge processen beskrevet her https://da.player.fm/legal.

12M ago 56:05

MP3•Episode hjem

This talk announces the first public release of sixos, a two year project to create a nixpkgs-based operating system using skarnet's s6 supervisor instead of systemd. The monolithic design of `systemd` is inconsistent with the UNIX userspace philosophy. Its our-way-or-fork-off policy attracts influence-seekers, and thereby encourages *platform decay* within the free software ecosystem. Systemd's failure to provide Linux-grade ABI stability („we don't break userspace“) creates a large and tempting attack surface for *enshittification*. This talk announces the first public release of [sixos](https://codeberg.org/amjoseph/sixos), a two year project to create a nixpkgs-based operating system using [skarnet](https://skarnet.org/software/)'s [`s6`](https://skarnet.org/software/s6/) instead of `systemd`. Sixos replaces NixOS modules with the simpler [`infuse`](https://codeberg.org/amjoseph/infuse.nix) combinator. This allows sixos to treat services the same way nixpkgs handles packages: - A service (`svcs/by-name/.../service.nix`) in sixos is a Nix expression, just like an uninstantiated package (`pkgs/by-name/.../package.nix`) in nixpkgs. - A sixos target is a derivation, just like an instantiated package in nixpkgs. - The sixos target set (`targets`) is a scoped fixpoint, just like the nixpkgs instantiated-package set (`pkgs`). - The `override`, `callPackage`, and `overrideAttrs` tools work on targets and services, just like they do on instantiated and uninstantiated packages. Whenever possible, sixos retains good ideas pioneered by NixOS, like atomically-activated immutable configurations and the layout of `/run`. Sixos is not a fork of NixOS. It shares no code with `nixpkgs/nixos`, nor is any part of it derived from NixOS. Sixos and NixOS both depend on `nixpkgs/pkgs`. On [ownerboot](https://codeberg.org/amjoseph/ownerboot) hardware all [mutable firmware](https://codeberg.org/amjoseph/ownerboot/src/branch/master/doc/owner-controlled.md#clarifications) -- all the way back to the reset vector -- is versioned, managed, and built as part of the sixos configuration. This *eliminates the artificial distinction between firmware software and non-firmware software*. On NixOS, either the initrd „secrets“ or the software that decrypts them ([ESP](https://en.wikipedia.org/wiki/EFI_system_partition), [initrd ssh keys](https://github.com/NixOS/nixpkgs/blob/6b88838224de5b86f449e9d01755eae4efe4a1e4/nixos/modules/system/boot/initrd-ssh.nix#L73-L76)) is stored unencrypted on writable media. Ownerbooted sixos closes this loophole without any „trusted computing“ voodoo, eliminating all unencrypted storage except for an eeprom whose hardware write-protect pin is connected to ground. The speaker runs ownerbooted sixos on his workstations, servers, twelve routers, stockpile of disposable laptops, and on his company's 24-server/768-core buildfarm. So far all of his attempts to run sixos on his snowboard have failed. Licensed to the public under http://creativecommons.org/licenses/by/4.0 about this event: https://events.ccc.de/congress/2024/hub/event/sixos-a-nix-os-without-systemd/

2413 episoder

#CCC media team #Ccc Congress Hacking Security Netzpolitik #Sicherheit #Technologie #Software-Entwicklung