{ "guid": "6df243b9-ad58-5d92-9104-54ff6076608d", "id": 690, "date": "2024-12-27T12:15:00+01:00", "start": "12:15", "duration": "01:00", "room": "Stage HUFF", "slug": "38c3-sixos-a-nix-os-without-systemd", "url": "https://events.ccc.de/congress/2024/hub/de/event/sixos-a-nix-os-without-systemd/", "title": "sixos: a nix os without systemd", "subtitle": null, "language": "en", "track": null, "type": "Talk 60 (45min +15 Q&A)", "abstract": "This talk announces the first public release of sixos, a two year project to create a nixpkgs-based operating system using skarnet's s6 supervisor instead of systemd.", "description": "The monolithic design of `systemd` is inconsistent with the UNIX userspace philosophy. Its our-way-or-fork-off policy attracts influence-seekers, and thereby encourages *platform decay* within the free software ecosystem. Systemd's failure to provide Linux-grade ABI stability (\u201ewe don't break userspace\u201c) creates a large and tempting attack surface for *enshittification*.\r\n\r\nThis talk announces the first public release of [sixos](https://codeberg.org/amjoseph/sixos), a two year project to create a nixpkgs-based operating system using [skarnet](https://skarnet.org/software/)'s [`s6`](https://skarnet.org/software/s6/) instead of `systemd`.\r\n\r\nSixos replaces NixOS modules with the simpler [`infuse`](https://codeberg.org/amjoseph/infuse.nix) combinator. This allows sixos to treat services the same way nixpkgs handles packages:\r\n- A service (`svcs/by-name/.../service.nix`) in sixos is a Nix expression, just like an uninstantiated package (`pkgs/by-name/.../package.nix`) in nixpkgs.\r\n- A sixos target is a derivation, just like an instantiated package in nixpkgs.\r\n- The sixos target set (`targets`) is a scoped fixpoint, just like the nixpkgs instantiated-package set (`pkgs`).\r\n- The `override`, `callPackage`, and `overrideAttrs` tools work on targets and services, just like they do on instantiated and uninstantiated packages.\r\n\r\nWhenever possible, sixos retains good ideas pioneered by NixOS, like atomically-activated immutable configurations and the layout of `/run`.\r\n\r\nSixos is not a fork of NixOS. It shares no code with `nixpkgs/nixos`, nor is any part of it derived from NixOS. Sixos and NixOS both depend on `nixpkgs/pkgs`.\r\n\r\nOn [ownerboot](https://codeberg.org/amjoseph/ownerboot) hardware all [mutable firmware](https://codeberg.org/amjoseph/ownerboot/src/branch/master/doc/owner-controlled.md#clarifications) -- all the way back to the reset vector -- is versioned, managed, and built as part of the sixos configuration. This *eliminates the artificial distinction between firmware software and non-firmware software*. On NixOS, either the initrd \u201esecrets\u201c or the software that decrypts them ([ESP](https://en.wikipedia.org/wiki/EFI_system_partition), [initrd ssh keys](https://github.com/NixOS/nixpkgs/blob/6b88838224de5b86f449e9d01755eae4efe4a1e4/nixos/modules/system/boot/initrd-ssh.nix#L73-L76)) is stored unencrypted on writable media. Ownerbooted sixos closes this loophole without any \u201etrusted computing\u201c voodoo, eliminating all unencrypted storage except for an eeprom whose hardware write-protect pin is connected to ground.\r\n\r\nThe speaker runs ownerbooted sixos on his workstations, servers, twelve routers, stockpile of disposable laptops, and on his company's 24-server/768-core buildfarm. So far all of his attempts to run sixos on his snowboard have failed.", "logo": null, "persons": [ { "guid": "28deb0f7-08e0-5017-9373-00b83cfd3c63", "name": "Adam Joseph", "public_name": "Adam Joseph", "avatar": null, "biography": null, "url": "https://events.ccc.de/congress/2024/hub/de/user/speaker_28deb0f7-08e0-5017-9373-00b83cfd3c63/" } ], "links": [], "origin_url": "https://cfp.cccv.de/38c3-community-stages/talk/8QZKGS/", "feedback_url": "https://cfp.cccv.de/38c3-community-stages/talk/8QZKGS/feedback/" }