Release Notes

Security Hardening (32 Modules — 3 New Hooks)

• Hook 0160 — Alfred Security (21 modules): sysctl CIS L2 hardening (45+ rules), kernel lockdown mode, AppArmor enforced with custom Alfred IDE & Meilisearch profiles, unattended-upgrades, fail2ban (SSH 3-try/24h ban), auditd (30+ immutable rules), DNS-over-TLS (Quad9 + Cloudflare), USB security logging & toggle, dangerous module blacklisting (firewire, dccp, sctp, cramfs), PAM password hardening (10-char/3-class/lockout), AIDE file integrity monitoring, ClamAV antivirus (weekly scan), rootkit detection (rkhunter + chkrootkit), hidepid=2, secure mount options (/tmp noexec), login banners, core dump prevention, cron/at root-only, compiler access restriction, NTS time synchronization (chrony), alfred-security-status CLI tool
• Hook 0165 — Alfred Network Hardening (7 modules): MAC address randomization (WiFi + Ethernet), nftables default-deny firewall, TCP wrappers, port scan defense, wireless hardening (WPS disabled), SSH strong ciphers only (chacha20-poly1305, ed25519, sntrup761x25519), alfred-network-status CLI tool
• Hook 0170 — Full Disk Encryption (4 modules): LUKS2 with cryptsetup + initramfs integration, strong encryption defaults, Calamares FDE checkbox enabled, alfred-encrypt-status CLI tool

Build System

• 16 build hooks — up from 13 in RC7 (3 new security hooks)
• 19 new security packages: apparmor suite, auditd, aide, clamav, rkhunter, chkrootkit, libpam-pwquality, chrony, nftables, unattended-upgrades, cryptsetup
• DNS fix hook (0011): resolves chroot DNS failures by forcibly writing /etc/resolv.conf
• fastfetch replaces neofetch (removed from Trixie repos)
• Resilient hooks: IDE (0300) and Voice (0400) now use set +e so optional failures don't kill the build

Applications

• Alfred IDE — VS Code-compatible IDE (powered by code-server 4.114.0)
• Alfred Voice — Kokoro TTS + PyTorch + espeak-ng + OpenWakeWord
• Alfred Search — Meilisearch instant search
• Alfred Store — Flatpak + GNOME Software
• Alfred Browser — Tauri + WebKitGTK (zero telemetry)
• Alfred Welcome — first-boot wizard
• Alfred Update — system update manager
• Calamares — graphical installer with FDE support

Platform

• Kernel: Linux 7.0.0-rc7-alfred (custom-compiled mainline)
• Base: Debian Trixie (13)
• Boot: BIOS + UEFI hybrid ISO
• Desktop: XFCE 4.18 + LightDM
• Size: 2.4 GB ISO
• Distribution: WebTorrent P2P (browser-native) + .torrent file
• CLI Tools: alfred-security-status, alfred-scan, alfred-usb-storage, alfred-aide-init, alfred-network-status, alfred-encrypt-status, alfred-info, alfred-update, fastfetch

Download RC8

Kernel

• Linux 7.0.0-rc7-alfred — custom-compiled from Linus Torvalds' mainline tree (released April 5, 2026)
• 3 kernel-7-exclusive CPU mitigations: ITS (Indirect Target Selection), TSA (Transient Scheduler Attacks), VMSCAPE (VM-exit Speculative Code Attack Prevention)
• 24 total compiled-in CPU mitigations (Spectre v1/v2/BHI, Meltdown, MDS, TAA, MMIO, RFDS, SRBDS, L1TF, SSB, and more)

Security (12 default gaps patched)

• 16 boot security parameters: init_on_alloc, init_on_free, slab_nomerge, page_alloc.shuffle, pti=on, lockdown=integrity, debugfs=off, io_uring_disabled, tsx=off, vsyscall=none, and more
• nftables drop-by-default firewall with UFW front-end
• AppArmor mandatory access control enforced at boot
• fail2ban intrusion prevention active by default
• auditd security audit logging enabled
• unattended-upgrades for automatic security patches
• Auto-generated IDE passwords — no more hardcoded defaults
• Dangerous kernel modules blacklisted: firewire, thunderbolt DMA, cramfs, freevxfs, hfs, jffs2, udf
• Kernel sysctl hardening: ASLR=2, symlink/hardlink protection, SYN cookies, ICMP redirects disabled, source routing blocked

Applications (13 build hooks)

• Alfred IDE — VS Code-compatible IDE (powered by code-server 4.114.0)
• Alfred Voice — Kokoro TTS engine with PyTorch 2.11.0, espeak-ng, OpenWakeWord
• Alfred Search — Meilisearch instant search engine
• Alfred Store — Flatpak + GNOME Software for app distribution
• Alfred Browser — Tauri + WebKitGTK (zero telemetry)
• Alfred Welcome — first-boot welcome and setup wizard
• Alfred Update — system update manager
• Calamares — graphical installer for disk installation

Platform

• Base: Debian Trixie (13)
• Boot: BIOS + UEFI hybrid ISO (ISOLINUX + GRUB EFI)
• Desktop: LightDM display manager
• Hardware: LVM2, btrfs, ZRAM swap, TLP power management, CUPS printing, thermald
• Size: 2.5 GB ISO
• Distribution: WebTorrent P2P (sovereign distribution)

Highlights

• Kernel 6.12.74 — Debian Trixie LTS security kernel
• 12 build hooks (full application stack)
• Universal hardware support — GPU drivers (NVIDIA, AMD, Intel), WiFi/Bluetooth firmware, input devices, power management, auto-detect 3-tier driver loading
• Install-or-try dialog on live boot — user chooses live session or Calamares installer immediately
• XFCE desktop trust fix — desktop files launch without "untrusted application" warnings
• Kyber-1024 branding — post-quantum visual identity applied
• Calamares installer now visible and launchable from desktop with Alfred v4.0 branding and slideshow
• First build with WebTorrent P2P distribution
• First build with Alfred Store (Flatpak + GNOME Software)

Highlights

• Kernel 6.12.74
• 10 build hooks — full v4.0 application stack
• Alfred Welcome — 7-page first-boot setup wizard
• Alfred Store — Flatpak app center with GNOME Software
• Voice 2.0 — "Hey Alfred" wake word detection via OpenWakeWord (always-on systemd service)
• alfred-update — system update manager with GUI and CLI
• alfred-info — system information CLI tool
• Version check API — checks for OS updates at boot
• Calamares — v4.0 branding applied to graphical installer

Highlights

• Trixie rebase — OS moved from Debian Bookworm (12) to Debian Trixie (13)
• Kernel 6.12.74 — Trixie's LTS kernel with EEVDF scheduler and Rust-in-kernel support
• UEFI + BIOS hybrid boot — single ISO boots on both modern and legacy systems
• Alfred Voice v2 — Kokoro TTS + PyTorch, spaCy NLP, OpenWakeWord, espeak-ng fallback
• Alfred Search — Meilisearch instant local search engine
• Voice hook fixed for Trixie (Python venv + --only-binary spacy workaround)

Highlights

• Kernel 6.1.0-44 — Debian Bookworm LTS (WebKit, OpenSSL, ImageMagick, GStreamer security updates)
• First verified bootable ISO (2.5 GB)
• Critical boot fix: dual kernel-naming hooks (chroot hook #9999 + binary hook #9999) — creates generic vmlinuz/initrd that the bootloader expects
• 9 build hooks: Alfred Browser, Alfred IDE (VS Code-compatible IDE), Alfred Voice (Kokoro TTS), Alfred Search (Meilisearch), Calamares installer, branding, boot fix (chroot + binary)
• Samsung S26 Ultra mobile installer created (Termux + proot-distro, no root)