# Alfred Linux **AI-Native Operating System — Kernel 7.0 · 32 Security Modules · Zero Telemetry** Alfred Linux is a Debian-based operating system where security, privacy, and AI are architectural decisions — not aftermarket add-ons. Custom-compiled kernel 7.0, 32 hardened security modules active from first boot, AI IDE and voice assistant preinstalled, zero telemetry by architecture. Built by [GoSiteMe Inc.](https://gositeme.com) — not a weekend fork, not a reskin with a wallpaper change. ## Build History | Build | Version | Base | Kernel | Status | ISO Size | |-------|---------|------|--------|--------|----------| | RC1 | 2.0 | Bookworm | 6.1.0-44 | ✅ Built | 2.4 GB | | RC2 | 2.0 | Bookworm | 6.1.0-44 | ✅ Built | 2.4 GB | | RC3 | 2.0 | Bookworm | 6.1.0-44 | ✅ Bootable | 2.5 GB | | RC4 | 3.0 | Trixie | 6.12 | ✅ Built | 2.4 GB | | RC5 | 3.0 | Trixie | 6.12 | ✅ Built | 2.4 GB | | RC6 | 4.0 | Trixie | 6.12 | ✅ Built | 2.4 GB | | RC7 | 4.0 | Trixie | 7.0.0-rc7 | ✅ Kernel 7 | 2.3 GB | | RC8 | 4.0 | Trixie | 7.0.0-rc7 | ✅ Current | 2.4 GB | **10 ISOs built. 3 kernel generations. Bookworm → Trixie rebase. First distro to ship kernel 7.0.** ## What Ships in the ISO | Component | What it is | Hook code | |-----------|-----------|-----------| | **Kernel 7.0.0-rc7-alfred** | Custom-compiled from Linus Torvalds' mainline tree | — | | **32 Security Modules** | AppArmor, auditd, fail2ban, ClamAV, rkhunter, chkrootkit, AIDE, nftables, LUKS2, MAC randomization, CIS L2 sysctl | 888 lines across 3 hooks | | **Alfred IDE** | code-server + Commander extension (AI chat, voice, 500+ MCP tools) | 94 lines | | **Alfred Voice** | Kokoro TTS engine + wake word (fully offline, no cloud) | 128 lines | | **Alfred Search** | Meilisearch instant search (offline, local indexes) | 131 lines | | **Alfred Browser** | Privacy-first Chromium fork | 91 lines | | **Calamares Installer** | Graphical installer with FDE checkbox | 344 lines | | **XFCE Desktop** | Lightweight, custom-branded desktop environment | 476 lines | | **Post-quantum crypto** | Kyber-1024 (ML-KEM-1024) ready | included in security hook | | **Zero telemetry** | No telemetry code exists — not disabled, never written | — | ## Repository Structure ``` alfred-linux/ ├── README.md ├── scripts/ │ ├── build-unified.sh # 375 lines — main build orchestrator │ └── build.sh # simplified build entry point ├── config/ │ ├── hooks/live/ │ │ ├── 0100-alfred-customize.hook.chroot # 476 lines — branding, desktop, Plymouth, GRUB │ │ ├── 0160-alfred-security.hook.chroot # 570 lines — 32 security modules │ │ ├── 0165-alfred-network-hardening.hook.chroot # 193 lines — nftables, sysctl, MAC randomization │ │ ├── 0170-alfred-fde.hook.chroot # 125 lines — full disk encryption (LUKS2) │ │ ├── 0200-alfred-browser.hook.chroot # 91 lines — Alfred Browser install │ │ ├── 0300-alfred-ide.hook.chroot # 94 lines — code-server + Commander extension │ │ ├── 0400-alfred-voice.hook.chroot # 128 lines — Kokoro TTS + PyTorch │ │ ├── 0500-alfred-search.hook.chroot # 131 lines — Meilisearch engine │ │ └── 0600-alfred-installer.hook.chroot # 344 lines — Calamares graphical installer │ └── package-lists/ │ ├── alfred.list.chroot # core packages │ └── alfred-b2.list.chroot # extended packages └── docs/ ├── ARM64_BUILD_INVESTIGATION.md # ARM64/Raspberry Pi port research └── KERNEL_UPGRADE_ROADMAP.md # kernel upgrade planning ``` **Total: 2,527 lines of build code across 10 hooks + build scripts.** This is not a config tweak. This is a build system. ## How the Build Works ```bash # Requires: Debian 12+ host, live-build, root/sudo cd scripts/ sudo ./build-unified.sh ``` `build-unified.sh` is the orchestrator. It: 1. Configures live-build for Debian Trixie (13) with XFCE 2. Drops all 10 hooks into the chroot build pipeline 3. Each hook runs in order (0100 → 0600) inside the chroot 4. Hooks install packages, write configs, enable services, apply hardening 5. Two kernel-naming hooks (9999) fix the UEFI/BIOS boot path 6. live-build produces the hybrid ISO (UEFI + BIOS bootable) ### The Critical Boot Fix (RC2→RC3) Bootloader references `/live/vmlinuz` but live-build only creates versioned files (`vmlinuz-6.1.0-44-amd64`). Two hooks fix this: - **Chroot hook (9999):** Creates generic kernel copies in `/boot/` - **Binary hook (9999):** Creates generic copies in `binary/live/` after lb copies versioned files Without both, the ISO boots to a kernel panic. This is the kind of real-world debugging that separates build systems from config generators. ## Security Architecture (570 lines, hook 0160) The security hook alone is 570 lines. It doesn't just install packages — it installs and **configures** 32 modules: - **Mandatory Access Control:** AppArmor enforced, custom profiles loaded - **Intrusion Detection:** fail2ban with SSH/HTTP jails, auditd with CIS-aligned rules - **File Integrity:** AIDE baseline database initialized at build time - **Antivirus:** ClamAV with freshclam cron, rkhunter, chkrootkit - **Firewall:** nftables with drop-by-default policy (not UFW — raw nftables) - **Encryption:** LUKS2 full disk encryption via Calamares option - **Network:** MAC address randomization (WiFi + Ethernet), DNS-over-TLS, sysctl hardening - **Kernel:** 24 CPU mitigations including 3 kernel-7-exclusive (ITS, TSA, VMSCAPE) - **Sysctl:** CIS Level 2 hardening — ICMP redirects disabled, SYN cookies enabled, IP forwarding off, core dumps disabled For comparison: Ubuntu ships with UFW installed but **off**. Fedora ships with SELinux that users routinely **disable**. Arch ships with **nothing**. ## Build Server ISOs are built on a dedicated EU build server: - 8 cores, 32 GB RAM - Debian Bookworm host (migrating to Trixie) - Isolated build environment (clean chroot each run) ## Verification ```bash # Download wget https://alfredlinux.com/downloads/alfred-linux-4.0-rc8-amd64.iso # Verify hash sha256sum alfred-linux-4.0-rc8-amd64.iso # Boot in QEMU (no install required) qemu-system-x86_64 -m 4096 -cdrom alfred-linux-4.0-rc8-amd64.iso -boot d # Once booted, verify: uname -r # → 7.0.0-rc7-alfred alfred-security-status # → 32 modules active alfred-network-status # → nftables + MAC randomization systemctl status fail2ban # → active (running) systemctl status apparmor # → active (running) ``` ## Progress — Turning Weaknesses Into Wins | What We Admitted | What We Shipped | | --- | --- | | No community infrastructure | [Community hub](https://alfredlinux.com/community) with contribution workflows, all 8 repos public on [GoForge](https://alfredlinux.com/forge/explore/repos) | | No hardware testing matrix | [Hardware Compatibility List](https://alfredlinux.com/hardware) — VMs, bare metal, mobile, known limitations | | No LTS cadence | [Roadmap](https://alfredlinux.com/roadmap) with timeline, GA goals, and LTS planning tracked in [GoForge issues](https://alfredlinux.com/forge/commander/alfred-linux/issues) | | Not on DistroWatch | Submitted — waiting list | | No contribution guide | [CONTRIBUTING.md](CONTRIBUTING.md) — bug reports, code workflow, hardware test submissions, security reporting | We'd rather ship 32 hardened security modules with zero community than ship zero security modules with a million users. ## License AGPL-3.0 ## Links - **Website:** https://alfredlinux.com - **Download:** https://alfredlinux.com/download - **Community:** https://alfredlinux.com/community - **Hardware Compatibility:** https://alfredlinux.com/hardware - **Roadmap:** https://alfredlinux.com/roadmap - **Compare:** https://alfredlinux.com/compare - **Security:** https://alfredlinux.com/security - **Apps:** https://alfredlinux.com/apps - **All Repos:** https://alfredlinux.com/forge/explore/repos - **Company:** https://gositeme.com (GoSiteMe Inc.)