styx will be a consent-first, usability-oriented operating system, with a Linux® kernel, and a distribution of packages built from nixpkgs.
More information:
What makes styx different?
We're going for a modular, system-agnostic linux environment optimized for quick setup and teardown, and built to work with existing system software where possible.
In our RFC pipeline, a few ideas shine through. As a rule, styx is a consent-first operating system. We don't force choices on the user to further our own goals, because not doing so is Goal One.
Our methodology follows a strict documentation before implementation policy, meaning that the prose written is the target — and sets the requirements for our code.
styx's strength is in its versatility. it will run where it needs to, how it needs to, and usecases can be defined as sets of styx configurations.
Quality is the building problem.
All software on styx, even third-party FOSS, goes through quality assurance steps. Higher-quality software is promoted better.
Warnings while building will be treated as errors first (-Werror
), then built again with that disabled. Any build stoppage automatically registers as a bug with us.
Finally, with the help of nix, styx packages will aim for reproducible builds.
How secure is styx?
Package names and IDs are canonicalized to DNS records. Packages and repos are identified by their domain name, or FQDN, and metadata and package repositories are provided via DNS infrastructure. This ensures an authoritative, federated and decentralized registry of package ownership, and importantly, one we don't need to maintain a global registry for.
A repository of packages is simply the part of the domain name in front of the package title itself. The entire repository is versioned, rather than individual packages. The version is committed to DNS as a TXT record.
Packages will be signed. The identity of the maintainership signature is backed by DNS, by way of DNSSEC. In cases where that is not possible, HTTPS certificates, or a public keychain or keyserver can also contribute to the styx PKI.
To further ensure an authoritative, tamper-resistent and tamper-evident root of trust, we will provide authoritative DNS nameservers, and employ DNS over HTTPS (DoH), for any DNS question which can be answered with styx's own group of authoritative nameservers.