commander/alfred-linux
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity
Alfred Linux - AI-Native OS
11 Commits 2 Branches 0 Tags 110 KiB
Shell 100%
main
Go to file
Commander 47c57c9a34 Replace weakness section with progress table and expanded links
2026-04-07 17:29:39 -04:00
config Full build system: 10 hooks, build scripts, package lists, docs 2026-04-07 16:14:16 -04:00
docs docs: ARM64 build investigation 2026-04-07 15:46:04 -04:00
scripts Full build system: 10 hooks, build scripts, package lists, docs 2026-04-07 16:14:16 -04:00
CONTRIBUTING.md Add CONTRIBUTING.md — bug reports, feature requests, code workflow, hardware testing 2026-04-07 17:07:14 -04:00
README.md Replace weakness section with progress table and expanded links 2026-04-07 17:29:39 -04:00

README.md

Alfred Linux

AI-Native Operating System — Kernel 7.0 · 32 Security Modules · Zero Telemetry

Alfred Linux is a Debian-based operating system where security, privacy, and AI are architectural decisions — not aftermarket add-ons. Custom-compiled kernel 7.0, 32 hardened security modules active from first boot, AI IDE and voice assistant preinstalled, zero telemetry by architecture.

Built by GoSiteMe Inc. — not a weekend fork, not a reskin with a wallpaper change.

Build History

Build Version Base Kernel Status ISO Size
RC1 2.0 Bookworm 6.1.0-44 Built 2.4 GB
RC2 2.0 Bookworm 6.1.0-44 Built 2.4 GB
RC3 2.0 Bookworm 6.1.0-44 Bootable 2.5 GB
RC4 3.0 Trixie 6.12 Built 2.4 GB
RC5 3.0 Trixie 6.12 Built 2.4 GB
RC6 4.0 Trixie 6.12 Built 2.4 GB
RC7 4.0 Trixie 7.0.0-rc7 Kernel 7 2.3 GB
RC8 4.0 Trixie 7.0.0-rc7 Current 2.4 GB

10 ISOs built. 3 kernel generations. Bookworm → Trixie rebase. First distro to ship kernel 7.0.

What Ships in the ISO

Component What it is Hook code
Kernel 7.0.0-rc7-alfred Custom-compiled from Linus Torvalds' mainline tree
32 Security Modules AppArmor, auditd, fail2ban, ClamAV, rkhunter, chkrootkit, AIDE, nftables, LUKS2, MAC randomization, CIS L2 sysctl 888 lines across 3 hooks
Alfred IDE code-server + Commander extension (AI chat, voice, 500+ MCP tools) 94 lines
Alfred Voice Kokoro TTS engine + wake word (fully offline, no cloud) 128 lines
Alfred Search Meilisearch instant search (offline, local indexes) 131 lines
Alfred Browser Privacy-first Chromium fork 91 lines
Calamares Installer Graphical installer with FDE checkbox 344 lines
XFCE Desktop Lightweight, custom-branded desktop environment 476 lines
Post-quantum crypto Kyber-1024 (ML-KEM-1024) ready included in security hook
Zero telemetry No telemetry code exists — not disabled, never written

Repository Structure

alfred-linux/
├── README.md
├── scripts/
│   ├── build-unified.sh          # 375 lines — main build orchestrator
│   └── build.sh                  # simplified build entry point
├── config/
│   ├── hooks/live/
│   │   ├── 0100-alfred-customize.hook.chroot       # 476 lines — branding, desktop, Plymouth, GRUB
│   │   ├── 0160-alfred-security.hook.chroot         # 570 lines — 32 security modules
│   │   ├── 0165-alfred-network-hardening.hook.chroot # 193 lines — nftables, sysctl, MAC randomization
│   │   ├── 0170-alfred-fde.hook.chroot              # 125 lines — full disk encryption (LUKS2)
│   │   ├── 0200-alfred-browser.hook.chroot          # 91 lines — Alfred Browser install
│   │   ├── 0300-alfred-ide.hook.chroot              # 94 lines — code-server + Commander extension
│   │   ├── 0400-alfred-voice.hook.chroot            # 128 lines — Kokoro TTS + PyTorch
│   │   ├── 0500-alfred-search.hook.chroot           # 131 lines — Meilisearch engine
│   │   └── 0600-alfred-installer.hook.chroot        # 344 lines — Calamares graphical installer
│   └── package-lists/
│       ├── alfred.list.chroot        # core packages
│       └── alfred-b2.list.chroot     # extended packages
└── docs/
    ├── ARM64_BUILD_INVESTIGATION.md  # ARM64/Raspberry Pi port research
    └── KERNEL_UPGRADE_ROADMAP.md     # kernel upgrade planning

Total: 2,527 lines of build code across 10 hooks + build scripts.

This is not a config tweak. This is a build system.

How the Build Works

# Requires: Debian 12+ host, live-build, root/sudo
cd scripts/
sudo ./build-unified.sh

build-unified.sh is the orchestrator. It:

  1. Configures live-build for Debian Trixie (13) with XFCE
  2. Drops all 10 hooks into the chroot build pipeline
  3. Each hook runs in order (0100 → 0600) inside the chroot
  4. Hooks install packages, write configs, enable services, apply hardening
  5. Two kernel-naming hooks (9999) fix the UEFI/BIOS boot path
  6. live-build produces the hybrid ISO (UEFI + BIOS bootable)

The Critical Boot Fix (RC2→RC3)

Bootloader references /live/vmlinuz but live-build only creates versioned files (vmlinuz-6.1.0-44-amd64). Two hooks fix this:

  • Chroot hook (9999): Creates generic kernel copies in /boot/
  • Binary hook (9999): Creates generic copies in binary/live/ after lb copies versioned files

Without both, the ISO boots to a kernel panic. This is the kind of real-world debugging that separates build systems from config generators.

Security Architecture (570 lines, hook 0160)

The security hook alone is 570 lines. It doesn't just install packages — it installs and configures 32 modules:

  • Mandatory Access Control: AppArmor enforced, custom profiles loaded
  • Intrusion Detection: fail2ban with SSH/HTTP jails, auditd with CIS-aligned rules
  • File Integrity: AIDE baseline database initialized at build time
  • Antivirus: ClamAV with freshclam cron, rkhunter, chkrootkit
  • Firewall: nftables with drop-by-default policy (not UFW — raw nftables)
  • Encryption: LUKS2 full disk encryption via Calamares option
  • Network: MAC address randomization (WiFi + Ethernet), DNS-over-TLS, sysctl hardening
  • Kernel: 24 CPU mitigations including 3 kernel-7-exclusive (ITS, TSA, VMSCAPE)
  • Sysctl: CIS Level 2 hardening — ICMP redirects disabled, SYN cookies enabled, IP forwarding off, core dumps disabled

For comparison: Ubuntu ships with UFW installed but off. Fedora ships with SELinux that users routinely disable. Arch ships with nothing.

Build Server

ISOs are built on a dedicated EU build server:

  • 8 cores, 32 GB RAM
  • Debian Bookworm host (migrating to Trixie)
  • Isolated build environment (clean chroot each run)

Verification

# Download
wget https://alfredlinux.com/downloads/alfred-linux-4.0-rc8-amd64.iso

# Verify hash
sha256sum alfred-linux-4.0-rc8-amd64.iso

# Boot in QEMU (no install required)
qemu-system-x86_64 -m 4096 -cdrom alfred-linux-4.0-rc8-amd64.iso -boot d

# Once booted, verify:
uname -r                    # → 7.0.0-rc7-alfred
alfred-security-status      # → 32 modules active
alfred-network-status       # → nftables + MAC randomization
systemctl status fail2ban   # → active (running)
systemctl status apparmor   # → active (running)

Progress — Turning Weaknesses Into Wins

What We Admitted What We Shipped
No community infrastructure Community hub with contribution workflows, all 8 repos public on GoForge
No hardware testing matrix Hardware Compatibility List — VMs, bare metal, mobile, known limitations
No LTS cadence Roadmap with timeline, GA goals, and LTS planning tracked in GoForge issues
Not on DistroWatch Submitted — waiting list
No contribution guide CONTRIBUTING.md — bug reports, code workflow, hardware test submissions, security reporting

We'd rather ship 32 hardened security modules with zero community than ship zero security modules with a million users.

License

AGPL-3.0

Links