Bedrock Linux

2 min read Original article ↗

Bedrock Linux is a meta Linux distribution which allows users to mix-and-match components from other, typically incompatible distributions. Bedrock integrates these components into one largely cohesive system.

For example, one could have:

  • Debian's stable coreutils
  • Arch's cutting edge kernel
  • Void's runit init system
  • A pdf reader with custom patches automatically maintained by Gentoo's portage
  • A font from Arch's AUR
  • Games running against Ubuntu's libraries
  • Business software running against CentOS's libraries

All at the same time and working together mostly as though they were packaged for the same distribution.

Bedrock Linux 0.7.30 released

2024-04-22

  • Fixed brl-fetch Void
  • Fixed etcfs listxattr read-only requests
  • Fixed etcfs statfs on non-directories
  • Fixed handling of missing/erroring /etc/profiles

Security alert (xz, CVE-2024-3094)

2024-03-29

A common compression project, xz, appears to have recent releases 5.6.0 and 5.6.1 compromised, tracked as CVE-2024-3094. No stable Bedrock Linux release uses such a new xz build, and we are confident stable channel users remain unaffected.

0.7.30beta1 did build against xz 5.6.1. However:

  • The exploit build code is only included in the xz source tarball releases.[0] Bedrock Linux builds xz from git. We checked for and were unable to find any code path which builds/includes the exploit. We do not believe the exploit was ever built or included in 0.7.30beta1 despite the xz version.

  • The exploit appears to depend on glibc's ifunc functionality.[0] Bedrock Linux builds against musl-libc, which does not offer this functionality, and thus the exploit, were it included, is unlikely to work.

  • The exploit appears to explicitly check for known argv[0] such as /usr/sbin/sshd.[0] While not impossible it, this has yet to be reported to check for the only Bedrock Linux component which is built against xz, kmod.

[0] https://www.openwall.com/lists/oss-security/2024/03/29/4

While we do not believe 0.7.30beta1 users are vulnerable, as a precaution we have pulled the release and push 0.7.30beta2 built against the older xz 5.4.6 and encourage beta channel users to update to it immediately.

Bedrock Linux 0.7.29 released

2023-08-06

  • Build system updates
  • Fixed brl-fetch Arch
  • Fixed brl-fetch Artix
  • Fixed brl-fetch Exherbo
  • Fixed brl-fetch Fedora
  • Improve build system dynamic link detection
  • Various dependency updates
  • Work-around systemd shutdown freeze

See older news items