2024-12-27 –, Stage HUFF
Language: English
This talk announces the first public release of sixos, a two year project to create a nixpkgs-based operating system using skarnet's s6 supervisor instead of systemd.
The monolithic design of systemd
is inconsistent with the UNIX userspace philosophy. Its our-way-or-fork-off policy attracts influence-seekers, and thereby encourages platform decay within the free software ecosystem. Systemd's failure to provide Linux-grade ABI stability („we don't break userspace“) creates a large and tempting attack surface for enshittification.
This talk announces the first public release of sixos, a two year project to create a nixpkgs-based operating system using skarnet's s6
instead of systemd
.
Sixos replaces NixOS modules with the simpler infuse
combinator. This allows sixos to treat services the same way nixpkgs handles packages:
- A service (svcs/by-name/.../service.nix
) in sixos is a Nix expression, just like an uninstantiated package (pkgs/by-name/.../package.nix
) in nixpkgs.
- A sixos target is a derivation, just like an instantiated package in nixpkgs.
- The sixos target set (targets
) is a scoped fixpoint, just like the nixpkgs instantiated-package set (pkgs
).
- The override
, callPackage
, and overrideAttrs
tools work on targets and services, just like they do on instantiated and uninstantiated packages.
Whenever possible, sixos retains good ideas pioneered by NixOS, like atomically-activated immutable configurations and the layout of /run
.
Sixos is not a fork of NixOS. It shares no code with nixpkgs/nixos
, nor is any part of it derived from NixOS. Sixos and NixOS both depend on nixpkgs/pkgs
.
On ownerboot hardware all mutable firmware -- all the way back to the reset vector -- is versioned, managed, and built as part of the sixos configuration. This eliminates the artificial distinction between firmware software and non-firmware software. On NixOS, either the initrd „secrets“ or the software that decrypts them (ESP, initrd ssh keys) is stored unencrypted on writable media. Ownerbooted sixos closes this loophole without any „trusted computing“ voodoo, eliminating all unencrypted storage except for an eeprom whose hardware write-protect pin is connected to ground.
The speaker runs ownerbooted sixos on his workstations, servers, twelve routers, stockpile of disposable laptops, and on his company's 24-server/768-core buildfarm. So far all of his attempts to run sixos on his snowboard have failed.
PGP key fingerprint: F0B74D717CDE8412A3E0 D4D5F29AC8080DA8E1E0.