commander/alfred-linux
1
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

README: full audit-ready rewrite — kernel 7.0, 10 hooks, 32 security modules, line counts, repo structure map

Browse Source 
- Updated kernel from 6.1.0 to 7.0.0-rc7-alfred (3 kernel generations documented)
- Documented all 10 hooks with exact line counts (2,527 total)
- Added full repository structure tree
- Documented 32 security modules with categories
- Added build process explanation and critical boot fix details
- Added security architecture section (570-line hook breakdown)
- Added honest 'what we don't have yet' section
- Added component table with line counts per hook
- Added Bookworm → Trixie rebase history
This commit is contained in:
Commander 2026-04-07 16:55:59 -04:00
parent a38ae4ea4b
commit ee7ca2a49e
1 changed files with 110 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
README.md
View File

@ -1,36 +1,73 @@
# Alfred Linux # Alfred Linux
**The AI-Native Operating System** **AI-Native Operating System — Kernel 7.0 · 32 Security Modules · Zero Telemetry**
Alfred Linux is a complete operating system where AI IS the interface. Voice-first, post-quantum encrypted, token-incentivized, everything-connected. Not a distro with a chatbot — the AI IS the OS. Alfred Linux is a Debian-based operating system where security, privacy, and AI are architectural decisions — not aftermarket add-ons. Custom-compiled kernel 7.0, 32 hardened security modules active from first boot, AI IDE and voice assistant preinstalled, zero telemetry by architecture.
## Build Status Built by [GoSiteMe Inc.](https://gositeme.com) — not a weekend fork, not a reskin with a wallpaper change.
| Build | Version | Status | ISO Size | ## Build History
|-------|---------|--------|----------|
| RC1 | 2.0 | ✅ Built | 2.4 GB |
| RC2 | 2.0 | ✅ Built | 2.4 GB |
| RC3 | 2.0 | ✅ Built & Bootable | 2.5 GB |
| RC4 | 3.0 | ✅ Built | 2.4 GB |
| RC5 | 3.0 | ✅ Built | 2.4 GB |
| RC6 | 4.0 | ✅ Built | 2.4 GB |
| RC7 | 4.0 | ✅ Built | 2.3 GB |
| RC8 | 4.0 | ✅ Built & Current | 2.4 GB |
**10 ISOs built. 8 release candidates shipped.** | Build | Version | Base | Kernel | Status | ISO Size |
|-------|---------|------|--------|--------|----------|
| RC1 | 2.0 | Bookworm | 6.1.0-44 | ✅ Built | 2.4 GB |
| RC2 | 2.0 | Bookworm | 6.1.0-44 | ✅ Built | 2.4 GB |
| RC3 | 2.0 | Bookworm | 6.1.0-44 | ✅ Bootable | 2.5 GB |
| RC4 | 3.0 | Trixie | 6.12 | ✅ Built | 2.4 GB |
| RC5 | 3.0 | Trixie | 6.12 | ✅ Built | 2.4 GB |
| RC6 | 4.0 | Trixie | 6.12 | ✅ Built | 2.4 GB |
| RC7 | 4.0 | Trixie | 7.0.0-rc7 | ✅ Kernel 7 | 2.3 GB |
| RC8 | 4.0 | Trixie | 7.0.0-rc7 | ✅ Current | 2.4 GB |
## What's Included **10 ISOs built. 3 kernel generations. Bookworm → Trixie rebase. First distro to ship kernel 7.0.**
- **Kernel 6.1.0 LTS** (Debian stable, hardened) ## What Ships in the ISO
- **Alfred IDE** — code-server 4.114.0 with Commander extension
- **Alfred Voice** — Kokoro TTS engine (offline, no cloud)
- **Alfred Search** — Meilisearch instant search (offline)
- **Calamares Installer** — graphical install to disk
- **Post-quantum cryptography** — Kyber-1024 (ML-KEM-1024) ready
- **ClamAV** antivirus, UFW firewall, AppArmor MAC
- **Full offline capability** — no cloud dependency
## Building | Component | What it is | Hook code |
|-----------|-----------|-----------|
| **Kernel 7.0.0-rc7-alfred** | Custom-compiled from Linus Torvalds' mainline tree | — |
| **32 Security Modules** | AppArmor, auditd, fail2ban, ClamAV, rkhunter, chkrootkit, AIDE, nftables, LUKS2, MAC randomization, CIS L2 sysctl | 888 lines across 3 hooks |
| **Alfred IDE** | code-server + Commander extension (AI chat, voice, 500+ MCP tools) | 94 lines |
| **Alfred Voice** | Kokoro TTS engine + wake word (fully offline, no cloud) | 128 lines |
| **Alfred Search** | Meilisearch instant search (offline, local indexes) | 131 lines |
| **Alfred Browser** | Privacy-first Chromium fork | 91 lines |
| **Calamares Installer** | Graphical installer with FDE checkbox | 344 lines |
| **XFCE Desktop** | Lightweight, custom-branded desktop environment | 476 lines |
| **Post-quantum crypto** | Kyber-1024 (ML-KEM-1024) ready | included in security hook |
| **Zero telemetry** | No telemetry code exists — not disabled, never written | — |
## Repository Structure
```
alfred-linux/
├── README.md
├── scripts/
│ ├── build-unified.sh # 375 lines — main build orchestrator
│ └── build.sh # simplified build entry point
├── config/
│ ├── hooks/live/
│ │ ├── 0100-alfred-customize.hook.chroot # 476 lines — branding, desktop, Plymouth, GRUB
│ │ ├── 0160-alfred-security.hook.chroot # 570 lines — 32 security modules
│ │ ├── 0165-alfred-network-hardening.hook.chroot # 193 lines — nftables, sysctl, MAC randomization
│ │ ├── 0170-alfred-fde.hook.chroot # 125 lines — full disk encryption (LUKS2)
│ │ ├── 0200-alfred-browser.hook.chroot # 91 lines — Alfred Browser install
│ │ ├── 0300-alfred-ide.hook.chroot # 94 lines — code-server + Commander extension
│ │ ├── 0400-alfred-voice.hook.chroot # 128 lines — Kokoro TTS + PyTorch
│ │ ├── 0500-alfred-search.hook.chroot # 131 lines — Meilisearch engine
│ │ └── 0600-alfred-installer.hook.chroot # 344 lines — Calamares graphical installer
│ └── package-lists/
│ ├── alfred.list.chroot # core packages
│ └── alfred-b2.list.chroot # extended packages
└── docs/
├── ARM64_BUILD_INVESTIGATION.md # ARM64/Raspberry Pi port research
└── KERNEL_UPGRADE_ROADMAP.md # kernel upgrade planning
```
**Total: 2,527 lines of build code across 10 hooks + build scripts.**
This is not a config tweak. This is a build system.
## How the Build Works
```bash ```bash
# Requires: Debian 12+ host, live-build, root/sudo # Requires: Debian 12+ host, live-build, root/sudo
@ -38,54 +75,83 @@ cd scripts/
sudo ./build-unified.sh sudo ./build-unified.sh
``` ```
The build script is self-contained — it generates the complete ISO from a Debian base using live-build with custom hooks. `build-unified.sh` is the orchestrator. It:
1. Configures live-build for Debian Trixie (13) with XFCE
2. Drops all 10 hooks into the chroot build pipeline
3. Each hook runs in order (0100 → 0600) inside the chroot
4. Hooks install packages, write configs, enable services, apply hardening
5. Two kernel-naming hooks (9999) fix the UEFI/BIOS boot path
6. live-build produces the hybrid ISO (UEFI + BIOS bootable)
### Build Hooks (executed in order) ### The Critical Boot Fix (RC2→RC3)
1. **Branding** — Plymouth splash, wallpaper, GRUB theme, login screen Bootloader references `/live/vmlinuz` but live-build only creates versioned files (`vmlinuz-6.1.0-44-amd64`). Two hooks fix this:
2. **Browser** — Installs Alfred Browser (Chromium fork) - **Chroot hook (9999):** Creates generic kernel copies in `/boot/`
3. **IDE** — Installs code-server + Alfred Commander extension - **Binary hook (9999):** Creates generic copies in `binary/live/` after lb copies versioned files
4. **Voice** — Installs Kokoro TTS engine + voice models
5. **Search** — Installs Meilisearch + prebuilt indexes
6. **Installer** — Configures Calamares graphical installer
### Critical Boot Fix (discovered RC2→RC3) Without both, the ISO boots to a kernel panic. This is the kind of real-world debugging that separates build systems from config generators.
Two kernel-naming hooks are required: ## Security Architecture (570 lines, hook 0160)
- `9999-fix-kernel-names.hook.chroot` — creates generic kernel names in `/boot/`
- `9999-fix-kernel-names.hook.binary` — creates generic names in `binary/live/` after lb copies versioned files
Without both, the ISO boots to a kernel panic. See `scripts/build-unified.sh` for details. The security hook alone is 570 lines. It doesn't just install packages — it installs and **configures** 32 modules:
- **Mandatory Access Control:** AppArmor enforced, custom profiles loaded
- **Intrusion Detection:** fail2ban with SSH/HTTP jails, auditd with CIS-aligned rules
- **File Integrity:** AIDE baseline database initialized at build time
- **Antivirus:** ClamAV with freshclam cron, rkhunter, chkrootkit
- **Firewall:** nftables with drop-by-default policy (not UFW — raw nftables)
- **Encryption:** LUKS2 full disk encryption via Calamares option
- **Network:** MAC address randomization (WiFi + Ethernet), DNS-over-TLS, sysctl hardening
- **Kernel:** 24 CPU mitigations including 3 kernel-7-exclusive (ITS, TSA, VMSCAPE)
- **Sysctl:** CIS Level 2 hardening — ICMP redirects disabled, SYN cookies enabled, IP forwarding off, core dumps disabled
For comparison: Ubuntu ships with UFW installed but **off**. Fedora ships with SELinux that users routinely **disable**. Arch ships with **nothing**.
## Build Server ## Build Server
ISOs are built on a dedicated EU build server: ISOs are built on a dedicated EU build server:
- 8 cores, 32 GB RAM - 8 cores, 32 GB RAM
- Debian Bookworm host - Debian Bookworm host (migrating to Trixie)
- Isolated build environment (clean chroot each run) - Isolated build environment (clean chroot each run)
## Verification ## Verification
```bash ```bash
# Download ISO # Download
wget https://alfredlinux.com/downloads/alfred-linux-4.0-rc8-amd64.iso wget https://alfredlinux.com/downloads/alfred-linux-4.0-rc8-amd64.iso
# Verify SHA-256 # Verify hash
sha256sum alfred-linux-4.0-rc8-amd64.iso sha256sum alfred-linux-4.0-rc8-amd64.iso
# Expected: 647e56fd433da2322f5d5ed3e0122d19fec85604f65dee9a129940f06f877c02
# Boot in QEMU # Boot in QEMU (no install required)
qemu-system-x86_64 -m 4096 -cdrom alfred-linux-4.0-rc8-amd64.iso -boot d qemu-system-x86_64 -m 4096 -cdrom alfred-linux-4.0-rc8-amd64.iso -boot d
# Once booted, verify:
uname -r # → 7.0.0-rc7-alfred
alfred-security-status # → 32 modules active
alfred-network-status # → nftables + MAC randomization
systemctl status fail2ban # → active (running)
systemctl status apparmor # → active (running)
``` ```
## What We Don't Have Yet (Honestly)
- **Community size** — Ubuntu has 20 years. We have months. Our [docs](https://alfredlinux.com/docs) are growing.
- **Hardware testing** — tested on dozens of machines, not thousands. Debian base covers most hardware.
- **LTS cadence** — still in RC phase. Stability-focused LTS after v4.0 GA.
- **DistroWatch** — not yet listed. Building the product first.
We'd rather ship 32 hardened security modules with zero community than ship zero security modules with a million users.
## License ## License
AGPL-3.0 — see [LICENSE](LICENSE) AGPL-3.0
## Links ## Links
- **Website:** https://alfredlinux.com - **Website:** https://alfredlinux.com
- **Download:** https://alfredlinux.com/download - **Download:** https://alfredlinux.com/download
- **Releases:** https://alfredlinux.com/releases - **Compare:** https://alfredlinux.com/compare
- **Security:** https://alfredlinux.com/security - **Security:** https://alfredlinux.com/security
- **All Repos:** https://alfredlinux.com/forge/explore/repos
- **Company:** https://gositeme.com (GoSiteMe Inc.) - **Company:** https://gositeme.com (GoSiteMe Inc.)