remove custom image overrides from each Dockerfile, favoring build contexts

don't gzip unless we have a valid tar file
Dockerfile -> Containerfile
2024-08-04 · 2024-02-05 02:36:12 -08:00 · 2024-02-05 01:45:45 -08:00 · 2024-02-05 01:45:20 -08:00 · 2024-02-02 15:10:11 -08:00 · 2024-02-01 21:34:06 -08:00
47 changed files with 944 additions and 646 deletions
--- a/19
+++ b/19
@ -1,6 +1,18 @@
-export REGISTRY := local
 export PLATFORM := linux/amd64
 export BUILDER := $(shell which docker)
+export REGISTRY := stagex
+export NOCACHE ?= 0
+export MIRRORS := \
+	git.distrust.co \
+	hub.docker.com
+
+ifeq ($(NOCACHE), 1)
+NOCACHE_FLAG=--no-cache
+else
+NOCACHE_FLAG=
+endif
+export NOCACHE_FLAG
+
 clean_logs := $(shell rm *.log 2>&1 >/dev/null || :)

 include src/macros.mk
@ -9,9 +21,12 @@ include src/core/build.mk
 include src/libs/build.mk
 include src/tools/build.mk

+compat:
+	./src/compat.sh
+
 DEFAULT_GOAL := default
 .PHONY: default
-default: bootstrap core
+default: compat bootstrap core

 out/graph.svg: Makefile
 	$(MAKE) -Bnd | make2graph | dot -Tsvg -o graph.svg
--- a/README.md
+++ b/README.md
@ -1,10 +1,105 @@
-# Packages
+# Stage[x]

-Minimalism and security first repository of reproducible and signed OCI images
-of common open source software packages built from source.
+Minimalism and security first repository of reproducible and multi-signed OCI
+images of common open source software toolchains full-source bootsrapped from
+Stage 0 all the way up.

-These can be used as a secure supply chain for anything from obtaining local
-tools, to bootstrapping a Linux distribution.
+If you want to build or deploy software on a foundation of minimalism and
+determinism with reasonable security, stagex might be the foundation you are
+looking for.
+
+## Usage
+
+You can do anything with these images you would with most any other musl based
+containerized linux distro, only with high supply chain integrity and
+determinism.
+
+For a full list of images see the "src" directory.
+
+### Examples
+
+Get a shell in our x86_64 Stage3 bootstrap image:
+
+```
+docker run -it stagex/stage3
+```
+
+Run a Python hello world:
+```
+docker run -i stagex/python -c "print('hello world')"
+```
+
+Make a hello world OCI container image with Rust:
+```
+FROM stagex/busybox as build
+COPY --from=stagex/rust . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/libunwind . /
+RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
+RUN rustc hello.rs
+FROM scratch
+COPY --from=build /home/user/hello .
+CMD ["./hello"]
+```
+
+### Package Management
+
+Unlike most linux distros, stagex was built for determinism, minimalism, and
+containers first, and thus has no concept of a traditional package manager.
+
+In fact, stagex ships no first-party code at all. We just package things in the
+most "stock" way possible with exceptions only to maintain determinism.
+
+Every image is "from scratch" and contains an empty filesystem with the
+installed package.
+
+By default you always get the latest updates to dependencies on the fly, but
+you retain the option for bit-for-bit reproducible builds by locking any given
+dependency at a particular tag or image hash.
+
+If you want an old version of rust with a recent version of Gcc to work around
+some problem build, you can do that without resorting to low security \
+"curl | bash" style solutions like rustup.
+
+## Goals
+
+We built to support very high risk threat models where trusting any single
+system or maintainer in our software supply chain cannot be tolerated. That
+said, we should also function as a drop-in replacement for musl-based linux
+distributions for virtually any threat model.
+
+Our aim is to provide a reasonably secure set of toolchains for every major
+programming language to be the basis of your containers, build systems,
+firmware, secure enclaves, or hosting infrastructure.
+
+Not all of these goals are 100% realized yet, but should at least help you
+decide if this project is something you want to contribute to or keep an eye on
+for the future.
+
+### Integrity
+
+* Anyone can reproduce the entire tree with tools from their current distro
+* Hosted CI servers auto-sign confirmed deterministic builds
+    * Like NixOS
+* Maintainers sign all package additions/changes
+    * Like Gentoo, Debian, Fedora, Guix
+* Reviewers/Reproducers locally build and counter-sign all new binary packages
+    * No one does this, as far as we can tell
+
+### Minimalism
+
+* Based on musl libc
+    * Basis of successful minimal distros like Alpine, Adelie, Talos, Void
+    * Implemented with about 1/4 the code of glibc
+    * Required to produce portable static binaries in some languages
+    * Less prone to buffer overflows
+    * Puts being light, fast, and correct before compatibility
+* Package using tools you already have
+    * OCI build tool of choice (Docker, Buildah, Podman)
+    * Make (for dependency management)
+    * Prove hashes of bootstrap layer builds match before proceeding
+* Keep package definitions lean and readable with simple CLI and no magic

 ## Background

@ -13,7 +108,7 @@ and the greatest of them may be that any system that is complex to review and
 assigns trust of significant components to single human points of failure, is
 doomed to have failure.

-Most linux distributions rely on complex package management systems for which
+Most Linux distributions rely on complex package management systems for which
 only a single implementation exists. They assign package signing privileges to
 individual maintainers at best. Modern popular distros often fail to even do
 this, having a central machine somewhere blindly signing all unsigned
@ -39,47 +134,94 @@ container supply chain has single points of human failure, or review
 complexity, that makes it undesirable for threat models that assume any single
 human can be hacked or coerced.

-## Goals
+## Comparison

-Not all of these goals are realized yet, but should at least help you decide
-if this project is something you want to contribute to or keep an eye on for
-the future.
+A comparison of `stagex` to other distros in some of the areas we care about:

-### Integrity
+| Distro | Single-Sig | Multi-Sig |Diver.| Musl | Stage0 | Repro. | Rust Deps |
+|--------|------------|-----------|------|------|--------|--------|-----------|
+| Stagex | x          | p         | p    | x    | x      | x      | 4         |
+| Guix   | x          |           |      |      | x      | x      | 4         |
+| Nix    |            |           |      |      |        | p      | 4         |
+| Debian | x          |           |      |      |        | p      | 232       |
+| Arch   | x          |           |      |      |        | p      | 262       |
+| Fedora | x          |           |      |      |        |        | 166       |
+| Alpine |            |           |      |      | x      |        | 32        |

-* Anyone can reproduce the entire tree with tools from their current distro
-* Hosted CI servers auto-sign confirmed deterministic builds
-    * Like NixOS
-* Maintainers sign all package additions/changes
-    * Like Gentoo, Debian, Fedora, Guix
-* Reviewers locally build and counter-sign all new binary packages
-    * No one does this, as far as we can tell.
+### Legend
+
+- x = true
+- p = planned
+- “Single-sig”: one person, typically the maintainer, signed a given package
+    - Some distros blindly sign all packages with a shared accees server
+    - We see this as mostly security theater and do not include it here
+- “Multi-sig”: more than one human verified/signed every package artifact
+    - And ideally also signed the source
+- “Diver.”: Can the entire distro be built with a diversity of toolchains
+- “Musl”: entire distro and resulting artifacts are built against musl libc
+- “Stage0”: Can the entire distro be full-source-bootstrapped from Stage0
+- “Repro.”: Is the entire distro reproducible bit-for-bit identically
+- “Rust Deps”: the number of total dependencies installed to use rustc
+    - Rust is a worst case example for compiler deps and build complexity
+        - It is kind of a nightmare most distros skip
+        - See: [Guix documenting their process](https://guix.gnu.org/en/blog/2018/bootstrapping-rust/) (similar to ours)
+    - Nix, guix, and our distro get away with only 4 deps because:
+        - Rustc -does- need ~20 dependencies to build
+        - The final resulting rust builds can run standalone
+        - We only actually need musl libc, llvm, and gcc to build most projects
+
+### Signatures
+
+* Signatures are made by the PGP public keys in the "keys" directory
+* Signatures are made by any tool that implements "[Container Signature Format](https://github.com/containers/image/blob/main/docs/containers-signature.5.md)"
+    * We provide a minimal shell script implementation as a convenience
+    * Podman also [implements support](https://github.com/containers/podman/blob/main/docs/tutorials/image_signing.md) for this signature scheme
+* Signatures are "PR"ed and committed to this repo as a source of truth
+* Signatures can be mirrored to any HTTPS url
+* Container daemons can verify signatures on pull with a [containers-policy.json](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)
+* As a policy, we expect all published signers to:
+    * Maintain their PGP private keys offline and/or on personal HSMs
+        * E.g. Nitrokey, Yubikey, Leger, Trezor, etc.
+    * Maintain a public key in the "keys" folder of this repository
+    * Maintain a [keyoxide](https://keyoxide.org) profile self-certifying keys
+    * Maintain a [Hagrid](https://keys.openpgp.org) profile with verified UIDs
+    * Make best efforts to meet in person and sign each others keys
+    * Create signatures from highly trusted operating systems
+        * E.g Dedicated QubesOS VM, or a an airgapped signing system

 ### Reproducibility

-* Trust no single external source of binaries
-    * Bootstrap from two different third party signed distros
-* Never use external binaries
-    * Bootstrap from 0, always, even if it means going back in time
-        * Go, rust require extensive work to bootstrap all the way back to gcc
-        * Guix is the only distro that does this for rust to our knowledge
-* Full-Source Bootstrap from x86_64 assembly
-    * Take maximum advantage of the hard won wins by the Guix team
-    * Bootstrap from guile driver reproduced on multiple signed distros
+The only way to produce trustworthy packages is to make sure no single system
+or human is every trusted in the process of compiling them. Everything we
+release must be built deterministically. Further to avoid trusting any specific
+distro or platform, we must be able to reproduce even from wildly different
+toolchains, architectures, kernels, etc.

-### Minimalism
+Using OCI container images as our base packaging system helps a lot here by
+making it easy to throw away non-deterministic build stages and control many
+aspects of the build environment. Also, as a well documented spec, it allows
+our packages to (ideally) be built with totally different OCI toolchains such
+as Docker, Podman, Kaniko, or Buildah.

-* Based on musl libc
-    * Basis of successful minimal distros like Alpine, Adelie, Talos, Void
-    * Implemented with about 1/4 the code of glibc
-    * Required to produce portable static binaries in some languages
-    * Less prone to buffer overflows
-    * Puts being light, fast, and correct before compatibility
-* Package using tools you already have
-    * OCI build tool of choice (Docker, Buildah, Podman)
-    * Make (for dependency management)
-    * Prove hashes of bootstrap layer builds match before proceeding
-* Keep package definitions lean and readable with simple CLI and no magic
+This is only part of the story though, because being able to build
+deterministically means the compilers that compiler our code themselves must
+be bootstapped all the way from source code in a deterministic way.
+
+* Final distributable packages are always OCI container images
+    * OCI allows reproduction by totally different toolchains
+        E.g: Docker, Podman, Kaniko, or Buildah.
+    * OCI allows unlimited signatures on builds as part of the spec
+      * E.g: each party that chooses to reproduce adds their own signature
+* We always "Full Source Bootstrap" everything from 0
+    * [Stage0](src/bootstrap/stage0/Dockerfile): 387 bytes of x86 assembly built by 3 distros with the same hash
+        * Also the same hash many others get from wildly different toolchains
+        * Relevant: [Guix: Building From Source All The Way Down](https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/)
+    * [Stage1](src/bootstrap/stage1/Dockerfile): A full x86 toolchain built from stage0 via [live-bootstrap](https://github.com/fosslinux/live-bootstrap/blob/master/parts.rst)
+    * [Stage2](src/bootstrap/stage2/Dockerfile): Cross toolchain bridging us to modern 64 bit architectures
+    * [Stage3](src/bootstrap/stage3/Dockerfile): Native toolchain in native 64 bit architecture
+    * [Stage(x)](.): Later stages build the distributed packages in this repo
+
+For further reading see the [Bootstrappable Builds](https://bootstrappable.org/) Project.

 ## Building

--- a/src/bootstrap/stage0/Containerfile
+++ b/src/bootstrap/stage0/Containerfile
@ -96,3 +96,4 @@ COPY --from=build1 /rootfs /

 FROM scratch as package
 COPY --from=install / /
+CMD ["x86/bin/kaem","--version"]
--- a/src/bootstrap/stage1/Containerfile
+++ b/src/bootstrap/stage1/Containerfile
@ -1,9 +1,8 @@
-ARG REGISTRY=local
 ARG VERSION=fc6eeb6bd75ea0d0025a79ea9fe45614bd60ba14
 ARG SRC_SITE=https://codeload.github.com/lrvick/live-bootstrap/legacy.tar.gz
 ARG SRC_HASH=0c268b19cf9f4eefdaf45dab64ac393ccf8ee43de58f0721624cab358044bf78
 FROM debian@sha256:bac353db4cc04bc672b14029964e686cd7bad56fe34b51f432c1a1304b9928da as debian
-FROM ${REGISTRY}/stage0 as stage0
+FROM stagex/stage0 as stage0

 FROM debian as fetch
 ARG VERSION
--- a/src/bootstrap/stage2/Containerfile
+++ b/src/bootstrap/stage2/Containerfile
@ -1,12 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/stage1:latest as stage1
-
-FROM stage1 as base
-ENV TARGET=x86_64-linux-musl
+FROM stagex/stage1 as base
+ENV ARCH=x86_64
+ENV TARGET=${ARCH}-linux-musl
+ENV SYSROOT_DIR ${HOME}/build-sysroot
 ENV GCC_VERSION 13.1.0
 ENV GCC_FILE gcc-$GCC_VERSION.tar.xz
 ENV GCC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}
 ENV GCC_HASH 61d684f0aa5e76ac6585ad8898a2427aade8979ed5e7f85492286c4dfc13ee86
+ENV GCC_DIR ${HOME}/build-gcc
 ENV GCC_DEP_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
 ENV GMP_FILE gmp-6.2.1.tar.bz2
 ENV GMP_HASH eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c
@ -20,18 +20,23 @@ ENV MUSL_VERSION 1.2.4
 ENV MUSL_SITE http://musl.libc.org
 ENV MUSL_FILE musl-${MUSL_VERSION}.tar.gz
 ENV MUSL_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
-ENV BINUTILS_VERSION 2.41
+ENV MUSL_DIR ${HOME}/build-musl
+ENV LINUX_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
+ENV LINUX_VERSION 6.6
+ENV LINUX_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
+ENV LINUX_FILE linux-${LINUX_VERSION}.tar.xz
+ENV LINUX_DIR ${HOME}/build-linux
+ENV BINUTILS_VERSION 2.35
 ENV BINUTILS_SITE https://ftp.gnu.org/gnu/binutils
 ENV BINUTILS_FILE binutils-${BINUTILS_VERSION}.tar.xz
-ENV BINUTILS_HASH ae9a5789e23459e59606e6714723f2d3ffc31c03174191ef0d015bdf06007450
+ENV BINUTILS_HASH 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85
 ENV BINUTILS_DIR ${HOME}/build-binutils
-ENV GCC_DIR ${HOME}/build-gcc
-ENV MUSL_DIR ${HOME}/build-musl
-ENV SYSROOT_DIR ${HOME}/build-sysroot

 FROM base as fetch
 WORKDIR ${HOME}
 RUN set -eux; \
+    curl -OJ ${LINUX_SITE}/${LINUX_FILE}; \
+    echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c; \
    curl -OJ ${GCC_SITE}/${GCC_FILE}; \
    echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c; \
    curl -OJ ${GCC_DEP_SITE}/${GMP_FILE}; \
@ -49,6 +54,7 @@ RUN set -eux; \

 FROM fetch as extract
 RUN set -eux; \
+    tar -xf ${LINUX_FILE}; \
    tar -xzf ${MUSL_FILE}; \
    tar -xf ${BINUTILS_FILE}; \
    tar -xf ${GCC_FILE}; \
@ -68,10 +74,13 @@ RUN set -eux; \
        --with-sysroot=/${TARGET} \
        --prefix= \
        --libdir=/lib \
-        --disable-werror \
+        --disable-nls \
        --disable-multilib \
+        --disable-plugins \
        --disable-gprofng \
-        --disable-separate-code \
+        --enable-64-bit-bfd \
+        --enable-ld=default \
+        --enable-install-libiberty \
        --enable-deterministic-archives; \
    make all

@ -144,6 +153,15 @@ RUN set -eux; \
 WORKDIR ${GCC_DIR}
 RUN make all

+# Phase 7: Generate linux headers
+WORKDIR ${HOME}/linux-${LINUX_VERSION}
+RUN set -eux; \
+    make ARCH=${ARCH} headers; \
+    find usr/include -name '.*' -delete; \
+    rm usr/include/Makefile; \
+    rm usr/include/headers_check.pl; \
+    cp -rv usr/include ${LINUX_DIR}
+
 FROM build as install
 WORKDIR ${HOME}
 USER 0:0
@ -153,9 +171,10 @@ RUN set -eux; \
    env -C build-musl make DESTDIR=/rootfs/${TARGET} install; \
    env -C build-gcc make DESTDIR=/rootfs/ install; \
    env -C build-binutils make DESTDIR=/rootfs/ install; \
+    cp -Rv ${LINUX_DIR}/* /rootfs/${TARGET}/include; \
    ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/libc.so; \
    ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/ld-musl-i386.so.1; \
-    ln -s /${TARGET}/lib/ld-musl-x86_64.so.1 /rootfs/lib/ld-musl-x86_64.so.1; \
+    ln -s /${TARGET}/lib/ld-musl-${ARCH}.so.1 /rootfs/lib/ld-musl-${ARCH}.so.1; \
    find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/bootstrap/stage3/Containerfile
+++ b/src/bootstrap/stage3/Containerfile
@ -0,0 +1,237 @@
+FROM stagex/stage2 as base
+ENV ARCH=x86_64
+ENV TARGET=${ARCH}-linux-musl
+ENV BUILD=i386-unknown-linux-musl
+ENV KCONFIG_NOTIMESTAMP=1
+ENV MUSL_VERSION 1.2.4
+ENV MUSL_SITE http://musl.libc.org/releases
+ENV MUSL_FILE musl-${MUSL_VERSION}.tar.gz
+ENV MUSL_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
+ENV MUSL_DIR=${HOME}/build-musl
+ENV BUSYBOX_VERSION=1.35.0
+ENV BUSYBOX_HASH=faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+ENV BUSYBOX_SITE=https://busybox.net/downloads
+ENV BUSYBOX_FILE=busybox-${BUSYBOX_VERSION}.tar.bz2
+ENV BUSYBOX_DIR ${HOME}/build-busybox
+ENV BINUTILS_VERSION 2.35
+ENV BINUTILS_HASH 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85
+ENV BINUTILS_SITE https://ftp.gnu.org/gnu/binutils
+ENV BINUTILS_FILE binutils-${BINUTILS_VERSION}.tar.xz
+ENV BINUTILS_DIR ${HOME}/build-binutils
+ENV MAKE_VERSION 4.4
+ENV MAKE_HASH 581f4d4e872da74b3941c874215898a7d35802f03732bdccee1d4a7979105d18
+ENV MAKE_SITE https://ftp.gnu.org/gnu/make
+ENV MAKE_FILE make-${MAKE_VERSION}.tar.gz
+ENV MAKE_DIR ${HOME}/build-make
+ENV GCC_VERSION 13.1.0
+ENV GCC_HASH 61d684f0aa5e76ac6585ad8898a2427aade8979ed5e7f85492286c4dfc13ee86
+ENV GCC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}
+ENV GCC_FILE gcc-$GCC_VERSION.tar.xz
+ENV GCC_DIR ${HOME}/build-gcc
+ENV GMP_VERSION 6.2.1
+ENV GMP_HASH eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c
+ENV GMP_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV GMP_FILE gmp-${GMP_VERSION}.tar.bz2
+ENV GMP_DIR ${HOME}/build-gmp
+ENV MPFR_VERSION 4.1.0
+ENV MPFR_HASH feced2d430dd5a97805fa289fed3fc8ff2b094c02d05287fd6133e7f1f0ec926
+ENV MPFR_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV MPFR_FILE mpfr-${MPFR_VERSION}.tar.bz2
+ENV MPFR_DIR ${HOME}/build-mpfr
+ENV MPC_VERSION 1.2.1
+ENV MPC_HASH 17503d2c395dfcf106b622dc142683c1199431d095367c6aacba6eec30340459
+ENV MPC_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV MPC_FILE mpc-${MPC_VERSION}.tar.gz
+ENV MPC_DIR ${HOME}/build-mpc
+ENV ISL_VERSION 0.24
+ENV ISL_HASH fcf78dd9656c10eb8cf9fbd5f59a0b6b01386205fe1934b3b287a0a1898145c0
+ENV ISL_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV ISL_FILE isl-${ISL_VERSION}.tar.bz2
+ENV ISL_DIR ${HOME}/build-isl
+ENV LINUX_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
+ENV LINUX_VERSION 6.6
+ENV LINUX_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
+ENV LINUX_FILE linux-${LINUX_VERSION}.tar.xz
+ENV LINUX_DIR ${HOME}/build-linux
+
+FROM base as fetch
+WORKDIR /home/user
+RUN set -eux; \
+    curl -OJ ${LINUX_SITE}/${LINUX_FILE}; \
+    echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MUSL_SITE}/${MUSL_FILE}; \
+    echo "${MUSL_HASH}  ${MUSL_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${BUSYBOX_SITE}/${BUSYBOX_FILE}; \
+    echo "${BUSYBOX_HASH}  ${BUSYBOX_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}; \
+    echo "${BINUTILS_HASH}  ${BINUTILS_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MAKE_SITE}/${MAKE_FILE}; \
+    echo "${MAKE_HASH}  ${MAKE_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${GCC_SITE}/${GCC_FILE}; \
+    echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${GMP_SITE}/${GMP_FILE}; \
+    echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MPFR_SITE}/${MPFR_FILE}; \
+    echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MPC_SITE}/${MPC_FILE}; \
+    echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${ISL_SITE}/${ISL_FILE}; \
+    echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c
+
+FROM fetch as extract
+RUN set -eux; \
+    tar -xf ${LINUX_FILE}; \
+    tar -kxzf ${MUSL_FILE}; \
+    tar -kxjf ${BUSYBOX_FILE}; \
+    tar -kxf ${BINUTILS_FILE}; \
+    tar -kxzf ${MAKE_FILE}; \
+    tar -kxf ${GCC_FILE}
+
+FROM extract as build
+WORKDIR ${MUSL_DIR}
+RUN set -eux; \
+    ../musl-${MUSL_VERSION}/configure \
+        --prefix=/usr \
+        --build=${BUILD} \
+        --host=${TARGET}; \
+    make
+WORKDIR ${BINUTILS_DIR}
+RUN set -eux; \
+    ../binutils-${BINUTILS_VERSION}/configure \
+        --build=${BUILD} \
+        --host=${TARGET} \
+        --prefix=/usr \
+        --bindir=/usr/bin \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --sysconfdir=/etc \
+        --disable-nls \
+        --disable-multilib \
+        --disable-plugins \
+        --disable-gprofng \
+        --enable-64-bit-bfd \
+        --enable-ld=default \
+        --enable-install-libiberty \
+        --enable-deterministic-archives; \
+    make
+WORKDIR ${MAKE_DIR}
+RUN set -ex; \
+    ../make-${MAKE_VERSION}/configure \
+        --build=${BUILD} \
+        --host=${TARGET} \
+        --prefix=/usr \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --disable-nls; \
+	make
+WORKDIR ${GCC_DIR}
+RUN set -eux; \
+    cp ../*.tar.* ../gcc-${GCC_VERSION}; \
+    env -C ${HOME}/gcc-${GCC_VERSION} ./contrib/download_prerequisites; \
+    ../gcc-${GCC_VERSION}/configure \
+        --build=${BUILD} \
+        --host=${TARGET} \
+        --target=${TARGET} \
+        --prefix=/usr \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --libdir=/usr/lib \
+        --disable-cet \
+        --disable-fixed-point \
+        --disable-libstdcxx-pch \
+        --disable-multilib \
+        --disable-libsanitizer \
+        --disable-nls \
+        --disable-werror \
+        --enable-__cxa_atexit \
+        --enable-default-pie \
+        --enable-default-ssp \
+        --enable-languages=c,c++ \
+        --enable-link-serialization=2 \
+        --enable-linker-build-id; \
+    make
+WORKDIR ${BUSYBOX_DIR}
+RUN set -eux; \
+    setConfs=' \
+        CONFIG_LAST_SUPPORTED_WCHAR=0 \
+        CONFIG_STATIC=y \
+    '; \
+    unsetConfs=' \
+        CONFIG_FEATURE_SYNC_FANCY \
+        CONFIG_FEATURE_HAVE_RPC \
+        CONFIG_FEATURE_INETD_RPC \
+        CONFIG_FEATURE_UTMP \
+        CONFIG_FEATURE_WTMP \
+    '; \
+    make \
+        -f ../busybox-${BUSYBOX_VERSION}/Makefile \
+        KBUILD_SRC=../busybox-${BUSYBOX_VERSION} \
+        CROSS_COMPILE=${TARGET}- \
+        defconfig; \
+    for conf in $unsetConfs; do \
+        sed -i \
+            -e "s!^$conf=.*\$!# $conf is not set!" \
+            .config; \
+    done; \
+    for confV in $setConfs; do \
+        conf="${confV%=*}"; \
+        sed -i \
+            -e "s!^$conf=.*\$!$confV!" \
+            -e "s!^# $conf is not set\$!$confV!" \
+            .config; \
+        if ! grep -q "^$confV\$" .config; then \
+            echo "$confV" >> .config; \
+        fi; \
+    done; \
+    make oldconfig CROSS_COMPILE=${TARGET}-; \
+    for conf in $unsetConfs; do \
+        ! grep -q "^$conf=" .config; \
+    done; \
+    for confV in $setConfs; do \
+        grep -q "^$confV\$" .config; \
+    done; \
+    make CROSS_COMPILE=${TARGET}-
+WORKDIR ${HOME}/linux-${LINUX_VERSION}
+RUN set -eux; \
+    make ARCH=${ARCH} headers; \
+    find usr/include -name '.*' -delete; \
+    rm usr/include/Makefile; \
+    rm usr/include/headers_check.pl; \
+    cp -rv usr/include ${LINUX_DIR}
+
+FROM build as install
+USER 0:0
+RUN set -eux; \
+    env -C ${BUSYBOX_DIR} make \
+        CROSS_COMPILE=${TARGET}- \
+        CONFIG_PREFIX=/rootfs \
+        install ; \
+    env -C ${MUSL_DIR} make DESTDIR=/rootfs install; \
+    env -C ${BINUTILS_DIR} make DESTDIR=/rootfs install; \
+    env -C ${MAKE_DIR} make DESTDIR=/rootfs install; \
+    env -C ${GCC_DIR} make DESTDIR=/rootfs install; \
+    cp -Rv ${LINUX_DIR}/* /rootfs/usr/include/; \
+    cd /rootfs/; \
+    ln -sT /lib lib64; \
+    mkdir -p etc tmp var/tmp home/user; \
+    echo "user:x:1000:" > etc/group; \
+    echo "user:x:1000:1000::/home/user:/bin/sh" > etc/passwd; \
+    chown -R 1000:1000 tmp var/tmp home/user; \
+    find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
+USER 1000:1000
+ENTRYPOINT ["/bin/sh"]
+ENV ARCH=x86_64
+ENV TARGET=${ARCH}-linux-musl
+ENV HOST=${TARGET}
+ENV BUILD=${TARGET}
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV USER=user
+ENV HOME=/home/user
+ENV TZ=UTC
+ENV LANG=C.UTF-8
+ENV SOURCE_DATE_EPOCH=1
+ENV KCONFIG_NOTIMESTAMP=1
+ENV PS1="stage3 $ "
--- a/src/bootstrap/stage3/Dockerfile
+++ b/src/bootstrap/stage3/Dockerfile
@ -1,94 +0,0 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/stage2 as stage2
-
-FROM stage2 as base
-ENV TARGET=x86_64-linux-musl
-ENV BUILD=i386-unknown-linux-musl
-ENV MUSL_VERSION 1.2.4
-ENV MUSL_SITE http://musl.libc.org/releases
-ENV MUSL_FILE musl-${MUSL_VERSION}.tar.gz
-ENV MUSL_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
-ENV MUSL_DIR=${HOME}/build-musl
-ENV BASH_SITE=https://ftp.gnu.org/gnu/bash
-ENV BASH_VERSION_=5.2.21
-ENV BASH_HASH c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b977f078560d5b8
-ENV BASH_FILE bash-${BASH_VERSION_}.tar.gz
-ENV BASH_DIR=${HOME}/build-bash
-ENV COREUTILS_SITE=https://ftp.gnu.org/gnu/coreutils
-ENV COREUTILS_VERSION=9.4
-ENV COREUTILS_HASH 5f600d9093973b0afe25393d9bc18c44f2232657f4ca0d95ea31c702eb66b739
-ENV COREUTILS_FILE coreutils-${COREUTILS_VERSION}.tar.gz
-ENV COREUTILS_DIR=${HOME}/build-coreutils
-
-FROM base as fetch
-WORKDIR /home/user
-RUN set -eux; \
-    curl --insecure -OJ ${MUSL_SITE}/${MUSL_FILE}; \
-    echo "${MUSL_HASH}  ${MUSL_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${BASH_SITE}/${BASH_FILE}; \
-    echo "${BASH_HASH}  ${BASH_FILE}" | sha256sum -c; \
-    curl --insecure -OJ ${COREUTILS_SITE}/${COREUTILS_FILE}; \
-    echo "${COREUTILS_HASH}  ${COREUTILS_FILE}" | sha256sum -c
-
-FROM fetch as build
-RUN set -eux; \
-    tar -xzf ${MUSL_FILE}; \
-    tar -xzf ${BASH_FILE}; \
-    tar -xzf ${COREUTILS_FILE}
-WORKDIR ${MUSL_DIR}
-RUN set -eux; \
-    ../musl-${MUSL_VERSION}/configure \
-        --prefix= \
-        --build=${BUILD} \
-        --host=${TARGET}; \
-    make
-WORKDIR ${BASH_DIR}
-RUN set -eux; \
-    echo "${BASH_VERSION_}"; \
-    ../bash-${BASH_VERSION_}/configure \
-        --build=${BUILD} \
-        --host=${TARGET} \
-        --prefix=/usr \
-        --bindir=/bin \
-        --mandir=/usr/share/man \
-        --infodir=/usr/share/info \
-        --disable-nls \
-        --enable-readline \
-        --without-curses \
-        --without-bash-malloc; \
-    make
-
-WORKDIR ${COREUTILS_DIR}
-RUN set -eux; \
-    echo "${COREUTILS_VERSION}"; \
-    ../coreutils-${COREUTILS_VERSION}/configure \
-        --build=${BUILD} \
-        --host=${TARGET} \
-        --prefix=/usr \
-        --bindir=/bin \
-        --mandir=/usr/share/man \
-        --infodir=/usr/share/info \
-        --disable-nls \
-        --enable-single-binary=symlinks; \
-    make
-
-FROM build as install
-USER 0:0
-RUN set -eux; \
-    env -C ${MUSL_DIR} make DESTDIR=/rootfs install; \
-    env -C ${BASH_DIR} make DESTDIR=/rootfs install; \
-    env -C ${COREUTILS_DIR} make DESTDIR=/rootfs install; \
-    find /rootfs -exec touch -hcd "@0" "{}" +
-
-FROM scratch as package
-COPY --from=install /rootfs /
-USER 1000:1000
-ENTRYPOINT ["/bin/bash"]
-ENV PATH=/x86_64-linux-musl/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-ENV USER=user
-ENV HOME=/home/user
-ENV TZ=UTC
-ENV LANG=C.UTF-8
-ENV SOURCE_DATE_EPOCH=1
-ENV KCONFIG_NOTIMESTAMP=1
-ENV PS1="stage3 $ "
--- a/src/compat.sh
+++ b/src/compat.sh
@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -e
+
+readonly MIN_BASH_VERSION=5
+readonly MIN_DOCKER_VERSION=25
+readonly MIN_JQ_VERSION=1.6
+readonly MIN_GPG_VERSION=2.2
+
+### Exit with error message
+die() {
+	echo "$@" >&2
+	exit 1
+}
+
+### Bail and instruct user on missing package to install for their platform
+die_pkg() {
+	local -r package=${1?}
+	local -r version=${2?}
+	local install_cmd
+	case "$OSTYPE" in
+		linux*)
+			if command -v "apt" >/dev/null; then
+				install_cmd="apt install ${package}"
+			elif command -v "yum" >/dev/null; then
+				install_cmd="yum install ${package}"
+			elif command -v "pacman" >/dev/null; then
+				install_cmd="pacman -Ss ${package}"
+			elif command -v "emerge" >/dev/null; then
+				install_cmd="emerge ${package}"
+			elif command -v "nix-env" >/dev/null; then
+				install_cmd="nix-env -i ${package}"
+			fi
+		;;
+		bsd*)     install_cmd="pkg install ${package}" ;;
+		darwin*)  install_cmd="port install ${package}" ;;
+		*) die "Error: Your operating system is not supported" ;;
+	esac
+	echo "Error: ${package} ${version}+ does not appear to be installed." >&2
+	[ -n "$install_cmd" ] && echo "Try: \`${install_cmd}\`"  >&2
+	exit 1
+}
+
+### Check if actual binary version is >= minimum version
+check_version(){
+	local pkg="${1?}"
+	local have="${2?}"
+	local need="${3?}"
+	local i ver1 ver2 IFS='.'
+	[[ "$have" == "$need" ]] && return 0
+	read -r -a ver1 <<< "$have"
+	read -r -a ver2 <<< "$need"
+	for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
+		do ver1[i]=0;
+	done
+	for ((i=0; i<${#ver1[@]}; i++)); do
+		[[ -z ${ver2[i]} ]] && ver2[i]=0
+		((10#${ver1[i]} > 10#${ver2[i]})) && return 0
+		((10#${ver1[i]} < 10#${ver2[i]})) && die_pkg "${pkg}" "${need}"
+	done
+}
+
+### Check if required binaries are installed at appropriate versions
+check_tools(){
+	if [ -z "${BASH_VERSINFO[0]}" ] \
+	|| [ "${BASH_VERSINFO[0]}" -lt "${MIN_BASH_VERSION}" ]; then
+		die_pkg "bash" "${MIN_BASH_VERSION}"
+	fi
+	for cmd in "$@"; do
+		command -v "$1" >/dev/null || die "Error: $cmd not found"
+		case $cmd in
+			jq)
+				version=$(jq -V | sed 's/.*-//g')
+				check_version "jq" "${version}" "${MIN_JQ_VERSION}"
+			;;
+			gpg)
+				version=$(gpg --version | head -n1 | cut -d" " -f3)
+				check_version "gnupg" "${version}" "${MIN_GPG_VERSION}"
+			;;
+            docker)
+				version=$(docker version -f json | jq -r '.Server.Version')
+				check_version "docker" "${version}" "${MIN_DOCKER_VERSION}"
+			;;
+		esac
+	done
+}
+
+check_tools jq gpg docker;
+
+docker info -f '{{ .DriverStatus }}' \
+    | grep "io.containerd.snapshotter.v1" >/dev/null \
+|| die "Error: Docker Engine is not using containerd for image storage"
--- a/src/core/_tests/go/Containerfile
+++ b/src/core/_tests/go/Containerfile
--- a/src/core/_tests/perl/Containerfile
+++ b/src/core/_tests/perl/Containerfile
--- a/src/core/_tests/python/Containerfile
+++ b/src/core/_tests/python/Containerfile
--- a/src/core/_tests/rust/Containerfile
+++ b/src/core/_tests/rust/Containerfile
--- a/src/core/autoconf/Containerfile
+++ b/src/core/autoconf/Containerfile
@ -1,13 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/perl:latest as perl
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE https://ftp.gnu.org/gnu/autoconf
 ENV SRC_VERSION 2.71
 ENV SRC_HASH f14c83cfebcc9427f2c3cea7258bd90df972d92eb26752da4ddad81c87a0faa4
@ -21,12 +12,12 @@ RUN set -eux; \
 FROM fetch as build
 RUN tar -xf ${SRC_FILE}
 WORKDIR autoconf-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=m4 . /
-COPY --from=perl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/m4 . /
+COPY --from=stagex/perl . /
 ENV M4=/usr/bin/m4
 RUN set -eux; \
    ./configure \
@ -36,7 +27,7 @@ RUN set -eux; \
 from build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=perl . /rootfs/
+COPY --from=stagex/perl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/automake/Containerfile
+++ b/src/core/automake/Containerfile
@ -1,14 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/perl:latest as perl
-FROM ${REGISTRY}/autoconf:latest as autoconf
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/automake
 ENV SRC_VERSION=1.16.5
 ENV SRC_HASH=f01d58cd6d9d77fbdca9eb4bbd5ead1988228fdb73d6f7a201f5f8d6b118b469
@ -20,13 +10,13 @@ RUN tar -xf automake-${SRC_VERSION}.tar.xz

 FROM fetch as build
 WORKDIR automake-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=perl . /
-COPY --from=m4 . /
-COPY --from=autoconf . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/perl . /
+COPY --from=stagex/m4 . /
+COPY --from=stagex/autoconf . /
 RUN set -eux; \
    ./configure \
        --prefix=/usr; \
@ -35,8 +25,8 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
-COPY --from=perl . /rootfs/
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/perl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/bash/Containerfile
+++ b/src/core/bash/Containerfile
@ -1,11 +1,4 @@
-ARG REGISTRY=local
-from ${REGISTRY}/binutils as binutils
-from ${REGISTRY}/gcc as gcc
-from ${REGISTRY}/musl as musl
-from ${REGISTRY}/make as make
-from ${REGISTRY}/busybox as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/bash
 ENV SRC_VERSION=5.2.21
 ENV SRC_HASH=c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b977f078560d5b8
@ -19,10 +12,10 @@ RUN set -eux; \
 FROM fetch as build
 RUN tar -xzf ${SRC_FILE}
 WORKDIR bash-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
 RUN set -eux; \
    mkdir -p /home/user/rootfs/lib; \
    ./configure \
@ -41,7 +34,7 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/binutils/Containerfile
+++ b/src/core/binutils/Containerfile
@ -1,15 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE https://ftp.gnu.org/gnu/binutils
-ENV SRC_VERSION 2.41
-ENV SRC_HASH ae9a5789e23459e59606e6714723f2d3ffc31c03174191ef0d015bdf06007450
+ENV SRC_VERSION 2.35
+ENV SRC_HASH 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85

 FROM base as fetch
+WORKDIR ${HOME}
 RUN wget ${SRC_SITE}/binutils-${SRC_VERSION}.tar.xz
-RUN echo "${SRC_HASH} binutils-${SRC_VERSION}.tar.xz" | sha256sum -c
+RUN echo "${SRC_HASH}  binutils-${SRC_VERSION}.tar.xz" | sha256sum -c

 FROM fetch as build
 RUN tar -xf binutils-${SRC_VERSION}.tar.xz
@ -52,7 +49,7 @@ RUN set -ex; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR="/rootfs" install;
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/build.mk
+++ b/src/core/build.mk
@ -7,21 +7,21 @@ core: \
 	out/gcc.tgz \
 	out/llvm.tgz

-out/musl.tgz: out/bootstrap.tgz
+out/musl.tgz: out/stage3.tgz
 	$(call build,core,musl)

-out/busybox.tgz: out/bootstrap.tgz
+out/busybox.tgz: out/stage3.tgz
 	$(call build,core,busybox)

-out/binutils.tgz: out/bootstrap.tgz
+out/binutils.tgz: out/stage3.tgz out/musl.tgz
 	$(call build,core,binutils)

-out/gcc.tgz: out/bootstrap.tgz out/musl.tgz
-	$(call build,core,gcc)
-
-out/make.tgz: out/bootstrap.tgz
+out/make.tgz: out/stage3.tgz
 	$(call build,core,make)

+out/gcc.tgz: out/stage3.tgz out/binutils.tgz out/musl.tgz
+	$(call build,core,gcc)
+
 out/bash.tgz: \
 	out/busybox.tgz \
 	out/gcc.tgz \
--- a/src/core/busybox/Containerfile
+++ b/src/core/busybox/Containerfile
@ -1,17 +1,14 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/bootstrap as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE=https://busybox.net/downloads
-ENV SRC_VERSION=1.35.0
-ENV SRC_HASH=faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+ENV SRC_VERSION=1.36.1
+ENV SRC_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 ENV SRC_FILE=busybox-${SRC_VERSION}.tar.bz2
 ENV KCONFIG_NOTIMESTAMP=1

 FROM base as fetch
-WORKDIR /home/user
+WORKDIR ${HOME}
 RUN set -eux; \
-    curl -O -J ${SRC_SITE}/${SRC_FILE}; \
+    wget ${SRC_SITE}/${SRC_FILE}; \
    echo "${SRC_HASH}  ${SRC_FILE}" | sha256sum -c

 FROM fetch as build
@ -19,9 +16,6 @@ RUN tar -xjf ${SRC_FILE}
 WORKDIR busybox-${SRC_VERSION}
 RUN set -eux; \
 	setConfs=' \
-		CONFIG_AR=y \
-		CONFIG_FEATURE_AR_CREATE=y \
-		CONFIG_FEATURE_AR_LONG_FILENAMES=y \
 		CONFIG_LAST_SUPPORTED_WCHAR=0 \
 		CONFIG_STATIC=y \
 	'; \
@ -55,7 +49,7 @@ RUN set -eux; \
 	for confV in $setConfs; do \
 		grep -q "^$confV\$" .config; \
 	done; \
-    make
+	make

 FROM build as install
 USER 0:0
@ -81,4 +75,4 @@ ENV TZ=UTC
 ENV LANG=C.UTF-8
 ENV SOURCE_DATE_EPOCH=1
 ENV KCONFIG_NOTIMESTAMP=1
-ENV PS1="busybox$ "
+ENV PS1="stage4 $ "
--- a/src/core/cmake/Containerfile
+++ b/src/core/cmake/Containerfile
@ -1,26 +1,14 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/curl:latest as curl
-FROM ${REGISTRY}/ninja:latest as ninja
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/linux-headers:latest as linux-headers
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://cmake.org/files
 ENV SRC_VERSION=3.27.8
 ENV SRC_HASH=fece24563f697870fbb982ea8bf17482c9d5f855d8c9bf0b82463d76c9e8d0cc
-COPY --from=binutils . /
-COPY --from=ninja . /
-COPY --from=musl . /
-COPY --from=make . /
-COPY --from=linux-headers . /
-COPY --from=gcc . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/ninja . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/make . /
+COPY --from=stagex/linux-headers . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /

 FROM base as fetch
 RUN wget --no-check-certificate ${SRC_SITE}/v3.27/cmake-${SRC_VERSION}.tar.gz
@ -44,11 +32,11 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN DESTDIR=/rootfs bin/cmake -P cmake_install.cmake
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=musl /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
-COPY --from=openssl /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/musl /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/openssl /usr/lib/* /rootfs/usr/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/gcc/Containerfile
+++ b/src/core/gcc/Containerfile
@ -1,9 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV VERSION 12.2.0
 ENV SRC_FILE gcc-$VERSION.tar.xz
 ENV SRC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${VERSION}
@ -19,6 +14,7 @@ ENV ISL_FILE isl-0.24.tar.bz2
 ENV ISL_HASH fcf78dd9656c10eb8cf9fbd5f59a0b6b01386205fe1934b3b287a0a1898145c0

 FROM base as fetch
+WORKDIR ${HOME}
 RUN set -eux; \
    wget ${SRC_SITE}/${SRC_FILE}; \
    echo "${SRC_HASH}  ${SRC_FILE}" | sha256sum -c; \
@ -36,41 +32,44 @@ RUN tar -xf ${SRC_FILE}
 WORKDIR gcc-${VERSION}
 RUN set -eux; \
    mv ../*.tar.* .; \
-	./contrib/download_prerequisites; \
-	./configure \
+    ./contrib/download_prerequisites; \
+    ./configure \
        --target=x86_64-linux-musl \
-		--build=x86_64-linux-musl \
-		--host=x86_64-linux-musl \
+        --build=x86_64-linux-musl \
+        --host=x86_64-linux-musl \
        --prefix=/usr \
        --mandir=/usr/share/man \
        --infodir=/usr/share/info \
        --libdir=/usr/lib \
        --disable-cet \
-		--disable-fixed-point \
-		--disable-libstdcxx-pch \
-		--disable-multilib \
-		--disable-nls \
-		--disable-werror \
+        --disable-fixed-point \
+        --disable-libstdcxx-pch \
+        --disable-multilib \
+        --disable-libsanitizer \
+        --disable-nls \
+        --disable-werror \
        --enable-__cxa_atexit \
-		--enable-default-pie \
-		--enable-default-ssp \
-		--enable-languages=c,c++ \
-		--enable-link-serialization=2 \
-		--enable-linker-build-id; \
-	make -j "$(nproc)"
+        --enable-default-pie \
+        --enable-default-ssp \
+        --enable-languages=c,c++ \
+        --enable-link-serialization=2 \
+        --enable-linker-build-id; \
+    make
+
+from build as package

 FROM build as install
 USER 0:0
 RUN set -eux; \
    make DESTDIR=/rootfs install-strip; \
    ln -s gcc /rootfs/usr/bin/cc
-COPY --from=musl /lib/* /rootfs/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM busybox as test
 COPY --from=install /rootfs /
-COPY --from=binutils . /
-COPY --from=musl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/musl . /
 ADD test.c .
 RUN set -eux; \
    gcc test.c -static -o main; \
--- a/src/core/go/Containerfile
+++ b/src/core/go/Containerfile
@ -1,12 +1,4 @@
-ARG REGISTRY=local
-ARG BUSYBOX_VERSION=latest
-FROM ${REGISTRY}/bash:latest as bash
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/busybox:${BUSYBOX_VERSION} as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV GOOS=linux
 ENV CGO_ENABLED=0
 ENV VERSION=1.21.4
@ -18,15 +10,10 @@ ENV SRC_HASH_BOOTSTRAP_2=e25c9ab72d811142b7f41ff6da5165fec2d1be5feec3ef2c66bc0bd
 ENV VERSION_BOOTSTRAP_1=1.4-bootstrap-20171003
 ENV SRC_SITE_BOOTSTRAP_1=https://dl.google.com/go
 ENV SRC_HASH_BOOTSTRAP_1=f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52
-COPY --from=gcc . /
-COPY --from=gcc . /
-COPY --from=bash . /
-COPY --from=musl . /
-COPY --from=binutils . /
-# Hack to work around busybox ar breaking the build
-USER 0:0
-RUN rm /bin/ar
-USER 1000:1000
+COPY --from=stagex/gcc . /
+COPY --from=stagex/bash . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/binutils . /

 FROM base as fetch
 RUN set -eux; \
--- a/src/core/libtool/Containerfile
+++ b/src/core/libtool/Containerfile
@ -1,22 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/bash:latest as bash
-FROM ${REGISTRY}/sed:latest as sed
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/libtool
 ENV SRC_VERSION=2.4.6
 ENV SRC_HASH=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=m4 . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/m4 . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/libtool-${SRC_VERSION}.tar.xz
@ -33,9 +23,9 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
-COPY --from=bash . /rootfs
-COPY --from=sed . /rootfs
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/bash . /rootfs
+COPY --from=stagex/sed . /rootfs
 RUN ln -s /bin/bash /rootfs/bin/sh
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

--- a/src/core/libunwind/Containerfile
+++ b/src/core/libunwind/Containerfile
@ -1,24 +1,14 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc as gcc
-FROM ${REGISTRY}/binutils as binutils
-FROM ${REGISTRY}/musl as musl
-FROM ${REGISTRY}/make as make
-FROM ${REGISTRY}/autoconf as autoconf
-FROM ${REGISTRY}/automake as automake
-FROM ${REGISTRY}/libtool as libtool
-FROM ${REGISTRY}/busybox as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://github.com/libunwind/libunwind/releases/download
 ENV SRC_VERSION=1.7.2
 ENV SRC_HASH=a18a6a24307443a8ace7a8acc2ce79fbbe6826cd0edf98d6326d0225d6a5d6e6
-COPY --from=gcc . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=binutils . /
-COPY --from=autoconf . /
-COPY --from=automake . /
-COPY --from=libtool . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/autoconf . /
+COPY --from=stagex/automake . /
+COPY --from=stagex/libtool . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/v${SRC_VERSION}/libunwind-${SRC_VERSION}.tar.gz
--- a/src/core/linux-headers/Containerfile
+++ b/src/core/linux-headers/Containerfile
@ -1,13 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/bootstrap:latest as base
+FROM stagex/stage3 as base
+WORKDIR ${HOME}
 ENV SRC_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
 ENV SRC_VERSION 6.6
 ENV SRC_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0

 FROM base as fetch
 RUN wget ${SRC_SITE}/linux-${SRC_VERSION}.tar.xz
-RUN echo "${SRC_HASH} linux-${SRC_VERSION}.tar.xz" | sha256sum -c
+RUN echo "${SRC_HASH}  linux-${SRC_VERSION}.tar.xz" | sha256sum -c

 FROM fetch as build
 RUN tar -xf linux-${SRC_VERSION}.tar.xz
--- a/src/core/llvm/Containerfile
+++ b/src/core/llvm/Containerfile
@ -1,31 +1,19 @@
-ARG REGISTRY=local
 ARG VERSION=16.0.6
-FROM ${REGISTRY}/gcc as gcc
-FROM ${REGISTRY}/binutils as binutils
-FROM ${REGISTRY}/musl as musl
-FROM ${REGISTRY}/openssl as openssl
-FROM ${REGISTRY}/python as python
-FROM ${REGISTRY}/py-setuptools as py-setuptools
-FROM ${REGISTRY}/cmake as cmake
-FROM ${REGISTRY}/ninja as ninja
-FROM ${REGISTRY}/busybox as busybox
-FROM ${REGISTRY}/openssl as openssl
-
-FROM busybox as base
+FROM stagex/busybox as base
 ARG VERSION
 ENV VERSION=${VERSION}
 ENV SRC_VERSION=${VERSION}
 ENV SRC_SITE=https://github.com/llvm/llvm-project/releases/download
 ENV SRC_HASH_13_0_1=326335a830f2e32d06d0a36393b5455d17dc73e0bd1211065227ee014f92cbf8
 ENV SRC_HASH_16_0_6=ce5e71081d17ce9e86d7cbcfa28c4b04b9300f8fb7e78422b1feb6bc52c3028e
-COPY --from=binutils . /
-COPY --from=cmake . /
-COPY --from=ninja . /
-COPY --from=musl . /
-COPY --from=gcc . /
-COPY --from=python . /
-COPY --from=py-setuptools . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/cmake . /
+COPY --from=stagex/ninja . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/python . /
+COPY --from=stagex/py-setuptools . /
+COPY --from=stagex/openssl . /

 FROM base as fetch
 RUN wget --no-check-certificate ${SRC_SITE}/llvmorg-${SRC_VERSION}/llvm-project-${SRC_VERSION}.src.tar.xz
@ -79,9 +67,9 @@ USER 0:0
 RUN set -eux; \
    DESTDIR="/rootfs" cmake --install build; \
 	python3 llvm/utils/lit/setup.py install --root="/rootfs"
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
 RUN ln -s lit /rootfs/usr/bin/llvm-lit
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

--- a/src/core/m4/Containerfile
+++ b/src/core/m4/Containerfile
@ -0,0 +1,31 @@
+FROM stagex/busybox as base
+ENV SRC_SITE=https://ftp.gnu.org/gnu/m4
+ENV SRC_VERSION=1.4.18
+ENV SRC_HASH=ab2633921a5cd38e48797bf5521ad259bdc4b979078034a3b790d7fec5493fab
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+
+FROM base as fetch
+RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.gz
+RUN echo "${SRC_HASH}  m4-${SRC_VERSION}.tar.gz" | sha256sum -c
+
+FROM fetch as build
+RUN tar -xzf m4-${SRC_VERSION}.tar.gz
+WORKDIR m4-${SRC_VERSION}
+RUN set -eux; \
+    ./configure \
+        --prefix=/usr; \
+    make;
+
+FROM build as install
+USER 0:0
+RUN make DESTDIR=/rootfs install
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+RUN find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
+ENTRYPOINT ["/usr/bin/m4"]
+CMD ["--version"]
--- a/src/core/m4/Dockerfile
+++ b/src/core/m4/Dockerfile
@ -1,38 +0,0 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-ENV SRC_SITE=https://ftp.gnu.org/gnu/m4
-ENV SRC_VERSION=1.4.19
-ENV SRC_HASH=63aede5c6d33b6d9b13511cd0be2cac046f2e70fd0a07aa9573a04a82783af96
-
-FROM base as fetch
-RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.xz
-RUN echo "${SRC_HASH}  m4-${SRC_VERSION}.tar.xz" | sha256sum -c
-
-FROM fetch as build
-RUN tar -xf m4-${SRC_VERSION}.tar.xz
-WORKDIR m4-${SRC_VERSION}
-RUN set -eux; \
-    ./configure \
-        --prefix=/usr; \
-    make;
-
-FROM build as install
-USER 0:0
-RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
-RUN find /rootfs -exec touch -hcd "@0" "{}" +
-
-FROM scratch as package
-COPY --from=install /rootfs /
-ENTRYPOINT ["/usr/bin/m4"]
-CMD ["--version"]
--- a/src/core/make/Containerfile
+++ b/src/core/make/Containerfile
@ -1,34 +1,30 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE https://ftp.gnu.org/gnu/make
 ENV SRC_VERSION 4.4
 ENV SRC_HASH 581f4d4e872da74b3941c874215898a7d35802f03732bdccee1d4a7979105d18

 FROM base as fetch
+WORKDIR ${HOME}
 RUN wget ${SRC_SITE}/make-${SRC_VERSION}.tar.gz
-RUN echo "${SRC_HASH} make-${SRC_VERSION}.tar.gz" | sha256sum -c
+RUN echo "${SRC_HASH}  make-${SRC_VERSION}.tar.gz" | sha256sum -c

 FROM fetch as build
 RUN tar -xf make-${SRC_VERSION}.tar.gz
 WORKDIR make-${SRC_VERSION}
 RUN set -ex; \
    ./configure \
-        --build=x86_64-linux-musl \
-        --host=x86_64-linux-musl \
-        --target=x86_64-linux-musl \
+        --build=${TARGET} \
+        --host=${TARGET} \
        --prefix=/usr \
        --mandir=/usr/share/man \
        --infodir=/usr/share/info \
        --disable-nls; \
-	make -j "$(nproc)"
+    make

 FROM build as install
 USER 0:0
 RUN make DESTDIR="/rootfs" install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/musl/Containerfile
+++ b/src/core/musl/Containerfile
@ -1,17 +1,15 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE http://musl.libc.org
 ENV SRC_VERSION 1.2.4
 ENV SRC_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
 ENV CFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security"
 ENV CXXFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security -D_GLIBCXX_ASSERTIONS=1 -D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS=1 -D_LIBCPP_ENABLE_HARDENED_MODE=1"
-ENV LDFLAGS="-Wl,--as-needed,-O1,--sort-common -Wl,-soname,libc.musl-x86_64.so.1"
+ENV LDFLAGS="-Wl,--as-needed,-O1,--sort-common -Wl,-soname,libc.musl-${ARCH}.so.1"

 FROM base as fetch
+WORKDIR ${HOME}
 RUN wget ${SRC_SITE}/releases/musl-$SRC_VERSION.tar.gz
-RUN echo "${SRC_HASH} musl-${SRC_VERSION}.tar.gz" | sha256sum -c
+RUN echo "${SRC_HASH}  musl-${SRC_VERSION}.tar.gz" | sha256sum -c

 FROM fetch as build
 RUN tar -xzf musl-${SRC_VERSION}.tar.gz
@ -22,8 +20,8 @@ RUN set -eux; \
    patch -p1 < lfs64.patch; \
    patch -p1 < lfs64-2.patch; \
    ./configure \
-        --build=x86_64-linux-musl \
-        --host=x86_64-linux-musl \
+        --build=${ARCH}-linux-musl \
+        --host=${ARCH}-linux-musl \
        --prefix=/usr \
        --sysconfdir=/etc \
        --mandir=/usr/share/man \
@ -37,12 +35,12 @@ USER 0:0
 RUN set -eux; \
    make DESTDIR=/rootfs install; \
    mkdir -p /rootfs/usr/bin; \
-    printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/ld-musl-x86_64.so.1 --list "$@"' \
+    printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/ld-musl-${ARCH}.so.1 --list "$@"' \
        > /rootfs/usr/bin/ldd; \
    chmod 755 /rootfs/usr/bin/ldd; \
-    mv -f /rootfs/usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1; \
-    ln -sf ld-musl-x86_64.so.1 /rootfs/lib/libc.musl-x86_64.so.1; \
-    ln -sf ../../lib/ld-musl-x86_64.so.1 /rootfs/usr/lib/libc.so; \
+    mv -f /rootfs/usr/lib/libc.so /rootfs/lib/ld-musl-${ARCH}.so.1; \
+    ln -sf ld-musl-${ARCH}.so.1 /rootfs/lib/libc.musl-${ARCH}.so.1; \
+    ln -sf ../../lib/ld-musl-${ARCH}.so.1 /rootfs/usr/lib/libc.so; \
    find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/ninja/Containerfile
+++ b/src/core/ninja/Containerfile
@ -1,23 +1,13 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/python:latest as python
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/busybox:latest as busybox
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-FROM ${REGISTRY}/openssl:latest as openssl
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://github.com/martine/ninja/archive/
 ENV SRC_VERSION=1.9.0
 ENV SRC_HASH=5d7ec75828f8d3fd1a0c2f31b5b0cea780cdfe1031359228c428c1a48bfcd5b9
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=python . /
-COPY --from=musl . /
-COPY --from=gcc . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/python . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /
 FROM ${REGISTRY}/busybox:latest as busybox

 FROM base as fetch
@ -30,7 +20,7 @@ WORKDIR ninja-${SRC_VERSION}
 ADD fix-musl.patch .
 RUN patch -p1 < fix-musl.patch
 # HACK: figure out why gcc package puts these in the wrong path at install time
-COPY --from=gcc /usr/lib64/* /usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /usr/lib/
 RUN set -eux; \
    python3 ./configure.py --bootstrap

@ -40,8 +30,8 @@ RUN set -eux; \
    mkdir -p /rootfs/usr/bin/; \
    cp ninja /rootfs/usr/bin/
 # HACK: figure out why gcc package puts these in the wrong path at install time
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
-COPY --from=musl . /rootfs/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/musl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/openssl/Containerfile
+++ b/src/core/openssl/Containerfile
@ -1,22 +1,13 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/perl:latest as perl
-FROM ${REGISTRY}/linux-headers:latest as linux-headers
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.openssl.org/source
 ENV SRC_VERSION=3.0.12
 ENV SRC_HASH=f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=perl . /
-COPY --from=linux-headers . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/perl . /
+COPY --from=stagex/linux-headers . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/openssl-${SRC_VERSION}.tar.gz
--- a/src/core/perl/Containerfile
+++ b/src/core/perl/Containerfile
@ -1,18 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.cpan.org/src/5.0
 ENV SRC_VERSION=5.38.0
 ENV SRC_HASH=eca551caec3bc549a4e590c0015003790bdd1a604ffe19cc78ee631d51f7072e
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/perl-${SRC_VERSION}.tar.xz
@ -22,6 +15,13 @@ FROM fetch as build
 RUN tar -xf perl-${SRC_VERSION}.tar.xz
 WORKDIR perl-${SRC_VERSION}
 RUN set -eux; \
+    printf "\
+osvers=\"gnulinux\"\n\
+myuname=\"dummy_uname\"\n\
+myhostname=\"builder\"\n\
+cf_by=\"builder\"\n\
+cf_time=\"0\"" \
+    > config.over; \
 	./Configure \
        -des \
 		-Dcccdlflags='-fPIC' \
@ -56,7 +56,7 @@ USER 0:0
 RUN set -eux; \
    make DESTDIR=/rootfs install; \
    mkdir -p /rootfs/lib
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/pkgconf/Containerfile
+++ b/src/core/pkgconf/Containerfile
@ -1,18 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://distfiles.ariadne.space/pkgconf/
 ENV SRC_VERSION=1.6.3
 ENV SRC_HASH=61f0b31b0d5ea0e862b454a80c170f57bad47879c0c42bd8de89200ff62ea210
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/pkgconf-${SRC_VERSION}.tar.xz
@ -31,7 +24,7 @@ USER 0:0
 RUN set -eux; \
    make DESTDIR=/rootfs install; \
    ln -s pkgconf /rootfs/usr/bin/pkg-config
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/py-setuptools/Containerfile
+++ b/src/core/py-setuptools/Containerfile
@ -1,12 +1,8 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/python:latest as python
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://pypi.io/packages/source/s/setuptools
 ENV SRC_VERSION=68.2.2
 ENV SRC_HASH=4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87
-COPY --from=python . /
+COPY --from=stagex/python . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/setuptools-${SRC_VERSION}.tar.gz
--- a/src/core/python/Containerfile
+++ b/src/core/python/Containerfile
@ -1,12 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.python.org/ftp/python
 ENV SRC_VERSION=3.12.0
 ENV SRC_HASH=795c34f44df45a0e9b9710c8c71c15c671871524cd412ca14def212e8ccb155d
@ -18,20 +10,19 @@ RUN echo "${SRC_HASH}  Python-${SRC_VERSION}.tar.xz" | sha256sum -c
 FROM fetch as build
 RUN tar -xf Python-${SRC_VERSION}.tar.xz
 WORKDIR Python-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=openssl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/openssl . /
+ENV PYTHONHASHSEED=0
+ENV PYTHONDONTWRITEBYTECODE=1
 RUN set -eux; \
    ./configure \
 		--build="x86_64-linux-musl" \
 		--host="x86_64-linux-musl" \
        --prefix=/usr \
-        --enable-ipv6 \
-		--enable-optimizations \
 		--enable-shared \
-		--with-lto \
 		--with-computed-gotos \
 		--without-ensurepip; \
    make
@ -41,7 +32,7 @@ USER 0:0
 RUN set -eux; \
    make DESTDIR=/rootfs install; \
    ln -s /usr/bin/python3 /rootfs/usr/bin/python
-COPY --from=musl . /rootfs/
+COPY --from=stagex/musl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/rust/Containerfile
+++ b/src/core/rust/Containerfile
@ -1,24 +1,8 @@
-ARG REGISTRY=local
 ARG VERSION=1.74.0
 ARG BUILD_VERSION=1.73.0
 ARG LLVM_VERSION=13.0.1
-FROM ${REGISTRY}/gcc as gcc
-FROM ${REGISTRY}/binutils as binutils
-FROM ${REGISTRY}/musl as musl
-FROM ${REGISTRY}/bash as bash
-FROM ${REGISTRY}/make as make
-FROM ${REGISTRY}/cmake as cmake
-FROM ${REGISTRY}/perl as perl
-FROM ${REGISTRY}/libunwind as libunwind
-FROM ${REGISTRY}/python as python
-FROM ${REGISTRY}/py-setuptools as py-setuptools
-FROM ${REGISTRY}/zlib as zlib
-FROM ${REGISTRY}/openssl as openssl
-FROM ${REGISTRY}/pkgconf as pkgconf
-FROM ${REGISTRY}/llvm:${LLVM_VERSION} as llvm
-FROM ${REGISTRY}/busybox as busybox

-FROM busybox as base
+FROM stagex/busybox as base
 ENV BOOTSTRAP_VERSION=1.54.0
 ENV SRC_SITE=https://static.rust-lang.org/dist
 ENV MRUSTC_VERSION=16d744fd62e74a2d4356df864b5850bf782918da
@ -53,20 +37,20 @@ ARG BUILD_VERSION
 ENV BUILD_VERSION=${BUILD_VERSION}
 ARG LLVM_VERSION
 ENV LLVM_VERSION=${LLVM_VERSION}
-COPY --from=binutils . /
-COPY --from=bash . /
-COPY --from=make . /
-COPY --from=cmake . /
-COPY --from=python . /
-COPY --from=py-setuptools . /
-COPY --from=zlib . /
-COPY --from=pkgconf . /
-COPY --from=openssl . /
-COPY --from=llvm . /
-COPY --from=perl . /
-COPY --from=gcc . /
-COPY --from=libunwind . /
-COPY --from=musl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/bash . /
+COPY --from=stagex/make . /
+COPY --from=stagex/cmake . /
+COPY --from=stagex/python . /
+COPY --from=stagex/py-setuptools . /
+COPY --from=stagex/zlib . /
+COPY --from=stagex/pkgconf . /
+COPY --from=stagex/openssl . /
+COPY --from=stagex/llvm . /
+COPY --from=stagex/perl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/libunwind . /
+COPY --from=stagex/musl . /

 FROM base as bootstrap-fetch
 RUN set -eux; \
@ -109,9 +93,9 @@ RUN set -eux; \
    mv /rootfs/bin/cargo /rootfs/usr/bin/; \
    mv /rootfs/lib/rustlib /rootfs/usr/lib/rustlib; \
    mv /rootfs/usr/lib/rustlib/x86_64-unknown-linux-musl/lib/librustc_driver.so /rootfs/usr/lib/
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as bootstrap-package
@ -158,6 +142,7 @@ RUN set -eux; \
        --set="rust.deny-warnings=false" \
        --set="rust.parallel-compiler=false" \
        --set="rust.remap-debuginfo=true" \
+        --set="rust.llvm-libunwind=system" \
        --set="build.full-bootstrap=true" \
        --set="target.x86_64-unknown-linux-musl.crt-static=false" \
        --set="target.x86_64-unknown-linux-musl.musl-root=/usr" \
@ -170,11 +155,20 @@ RUN set -eux; \

 FROM build as install
 USER 0:0
-RUN python3 x.py install
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
-COPY --from=llvm /usr/lib/* /rootfs/usr/lib/
+RUN set -eux; \
+    python3 x.py install; \
+    cd /rootfs/usr/lib/rustlib; \
+    rm install.log; \
+    sort -o manifest-cargo manifest-cargo; \
+    sort -o manifest-rustc manifest-rustc; \
+    sort -o \
+        manifest-rust-std-x86_64-unknown-linux-musl \
+        manifest-rust-std-x86_64-unknown-linux-musl; \
+    rm -f x86_64-unknown-linux-musl/lib/self-contained/libunwind.a
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/llvm /usr/lib/* /rootfs/usr/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/sed/Containerfile
+++ b/src/core/sed/Containerfile
@ -1,19 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/bash:latest as bash
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/sed
 ENV SRC_VERSION=4.9
 ENV SRC_HASH=6e226b732e1cd739464ad6862bd1a1aba42d7982922da7a53519631d24975181
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/sed-${SRC_VERSION}.tar.xz
@ -30,7 +22,7 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/core/zlib/Containerfile
+++ b/src/core/zlib/Containerfile
@ -1,18 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.zlib.net/
-ENV SRC_VERSION=1.3
-ENV SRC_HASH=ff0ba4c292013dbc27530b3a81e1f9a813cd39de01ca5e0f8bf355702efa593e
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+ENV SRC_VERSION=1.3.1
+ENV SRC_HASH=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/zlib-${SRC_VERSION}.tar.gz
--- a/src/libs/ca-certificates/Containerfile
+++ b/src/libs/ca-certificates/Containerfile
@ -1,5 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/busybox:latest as base
+FROM stagex/busybox as base

 FROM base as install
 USER 0:0
--- a/src/libs/libxml2/Containerfile
+++ b/src/libs/libxml2/Containerfile
@ -1,30 +1,17 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/autoconf:latest as autoconf
-FROM ${REGISTRY}/automake:latest as automake
-FROM ${REGISTRY}/libtool:latest as libtool
-FROM ${REGISTRY}/pkgconf:latest as pkgconf
-FROM ${REGISTRY}/python:latest as python
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://gitlab.gnome.org/GNOME/libxml2/-/archive
 ENV SRC_VERSION=2.12.1
 ENV SRC_HASH=1090e62c5a1900429f63e4681263b96e7829876ccbc66cf2d9266cd589f67286
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=python . /
-COPY --from=autoconf . /
-COPY --from=automake . /
-COPY --from=pkgconf . /
-COPY --from=libtool . /
-COPY --from=m4 . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/python . /
+COPY --from=stagex/autoconf . /
+COPY --from=stagex/automake . /
+COPY --from=stagex/pkgconf . /
+COPY --from=stagex/libtool . /
+COPY --from=stagex/m4 . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/v${SRC_VERSION}/libxml2-v${SRC_VERSION}.tar.gz
--- a/src/macros.mk
+++ b/src/macros.mk
@ -26,25 +26,35 @@ define build
 	$(eval VERSION := $(if $(3),$(3),latest))
 	$(eval TARGET := $(if $(4),$(4),package))
 	$(eval EXTRA_ARGS := $(if $(5),$(5),))
+	$(eval REVISION := $(shell git rev-list HEAD -1 src/$(CATEGORY)/$(NAME)))
 	$(eval BUILD_CMD := \
 		DOCKER_BUILDKIT=1 \
+		BUILDKIT_MULTI_PLATFORM=1 \
 		SOURCE_DATE_EPOCH=1 \
 		$(BUILDER) \
 			build \
 			--ulimit nofile=2048:16384 \
-			-t $(REGISTRY)/$(NAME):$(VERSION) \
+			--tag $(REGISTRY)/$(NAME):$(VERSION) \
 			--build-arg REGISTRY=$(REGISTRY) \
 			--platform $(PLATFORM) \
-			--network=host \
 			--progress=plain \
 			$(if $(filter latest,$(VERSION)),,--build-arg VERSION=$(VERSION)) \
+			--output type=oci,force-compression=true,name=$(NAME),annotation.org.opencontainers.image.revision=$(REVISION),annotation.org.opencontainers.image.version=$(VERSION),dest=$(basename $@).tar \
 			--target $(TARGET) \
 			$(EXTRA_ARGS) \
+			$(NOCACHE_FLAG) \
+			-f src/$(CATEGORY)/$(NAME)/Containerfile \
 			src/$(CATEGORY)/$(NAME) \
+			&& tar -tf $(basename $@).tar \
+			&& gzip < $(basename $@).tar > $@ \
+			&& rm $(basename $@).tar \
+			&& gunzip -c $@ | docker load; \
 	)
 	$(eval TIMESTAMP := $(shell TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ"))
 	mkdir -p out/
 	echo $(TIMESTAMP) $(BUILD_CMD) >> out/build.log
 	$(BUILD_CMD)
-	$(if $(filter package,$(TARGET)),$(BUILDER) save $(REGISTRY)/$(NAME):$(VERSION) -o $@,)
+	tar -xf $@ index.json -O \
+		| jq -r '.manifests[].digest | sub("sha256:";"")' \
+	> $@.digest
 endef
--- a/src/tools/build.mk
+++ b/src/tools/build.mk
@ -8,6 +8,18 @@ out/curl.tgz: \
 	out/ca-certificates.tgz
 	$(call build,tools,curl)

+out/gen_initramfs.tgz: \
+	out/gcc.tgz \
+	out/binutils.tgz \
+	out/musl.tgz
+	$(call build,tools,gen_initramfs)
+
+out/cpio.tgz: \
+	out/gcc.tgz \
+	out/binutils.tgz \
+	out/musl.tgz
+	$(call build,tools,cpio)
+
 out/tofu.tgz: \
 	out/busybox.tgz \
 	out/go.tgz
@ -16,4 +28,4 @@ out/tofu.tgz: \
 out/sops.tgz: \
 	out/busybox.tgz \
 	out/go.tgz
-	$(call build,tools,sops)
+	$(call build,tools,sops)
--- a/src/tools/cpio/Containerfile
+++ b/src/tools/cpio/Containerfile
@ -0,0 +1,39 @@
+FROM stagex/busybox as base
+ENV SRC_SITE=https://ftp.gnu.org/gnu/cpio
+ENV SRC_VERSION=2.15
+ENV SRC_HASH=efa50ef983137eefc0a02fdb51509d624b5e3295c980aa127ceee4183455499e
+ENV SRC_FILE=cpio-${SRC_VERSION}.tar.gz
+
+FROM base as fetch
+RUN set -eux; \
+    wget ${SRC_SITE}/${SRC_FILE}; \
+    echo "${SRC_HASH}  ${SRC_FILE}" | sha256sum -c
+
+FROM fetch as build
+RUN tar -xzf ${SRC_FILE}
+WORKDIR cpio-${SRC_VERSION}
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+RUN set -eux; \
+    mkdir -p /home/user/rootfs/lib; \
+    ./configure \
+        --build=x86_64-unknown-linux-musl \
+        --host=x86_64-unknown-linux-musl \
+        --prefix=/usr \
+        --bindir=/bin \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info; \
+    make
+
+FROM build as install
+USER 0:0
+RUN make DESTDIR=/rootfs install
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+RUN find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
+ENTRYPOINT ["/bin/cpio"]
+CMD ["--version"]
--- a/src/tools/curl/Containerfile
+++ b/src/tools/curl/Containerfile
@ -1,21 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://curl.se/download
 ENV SRC_VERSION=8.4.0
 ENV SRC_HASH=16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=gcc . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /

 FROM base as fetch
 RUN wget ${SRC_SITE}/curl-${SRC_VERSION}.tar.xz
@ -40,9 +31,9 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make install DESTDIR=/rootfs
-COPY --from=musl . /rootfs/
-COPY --from=openssl . /rootfs/
-COPY --from=ca-certificates . /rootfs/
+COPY --from=stagex/musl . /rootfs/
+COPY --from=stagex/openssl . /rootfs/
+COPY --from=stagex/ca-certificates . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +

 FROM scratch as package
--- a/src/tools/gen_initramfs/Containerfile
+++ b/src/tools/gen_initramfs/Containerfile
@ -0,0 +1,28 @@
+FROM stagex/busybox as base
+WORKDIR ${HOME}
+ENV SRC_SITE http://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
+ENV SRC_VERSION 6.6
+ENV SRC_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
+
+FROM base as fetch
+RUN wget ${SRC_SITE}/linux-${SRC_VERSION}.tar.xz
+RUN echo "${SRC_HASH}  linux-${SRC_VERSION}.tar.xz" | sha256sum -c
+
+FROM fetch as build
+RUN tar -xf linux-${SRC_VERSION}.tar.xz
+WORKDIR linux-${SRC_VERSION}
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/musl . /
+RUN gcc usr/gen_init_cpio.c -o usr/gen_init_cpio
+
+FROM build as install
+USER 0:0
+RUN set -eux; \
+    mkdir -p /rootfs/usr/bin; \
+    cp -a usr/gen_initramfs.sh /rootfs/usr/bin/gen_initramfs; \
+    cp -a usr/gen_init_cpio /rootfs/usr/bin; \
+    find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
--- a/src/tools/sops/Containerfile
+++ b/src/tools/sops/Containerfile
@ -1,22 +1,16 @@
-
-ARG REGISTRY=local
-FROM ${REGISTRY}/go:latest as go
-FROM ${REGISTRY}/busybox:latest as busybox 
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV VERSION=3.8.1
 ENV SRC_SITE=https://github.com/getsops/sops/archive/refs/tags
 ENV SRC_HASH=5ca70fb4f96797d09012c705a5bb935835896de7bcd063b98d498912b0e645a0
 RUN echo ${SRC_SITE}/${VERSION}.tar.gz

 FROM base as fetch
-COPY --from=go . /
-COPY --from=ca-certificates . /
+COPY --from=stagex/go . /
+COPY --from=stagex/ca-certificates . /

 RUN set -eux; \
    wget ${SRC_SITE}/v${VERSION}.tar.gz; \
-    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c; 
+    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c;

 FROM fetch as build
 RUN tar -xvf v${VERSION}.tar.gz
@ -31,7 +25,7 @@ ENV GOSUMDB=sum.golang.org
 ENV CGO_ENABLED=0
 ENV GOHOSTOS=linux
 ENV GOHOSTARCH=amd64
-ENV GOFLAGS=-trimpath 
+ENV GOFLAGS=-trimpath
 RUN mkdir -p ${GOPATH}
 RUN go build -o bin/sops ./cmd/sops

@ -43,4 +37,4 @@ RUN cp bin/sops /rootfs/usr/bin/
 FROM scratch as package
 COPY --from=install /rootfs/ /
 ENTRYPOINT ["/usr/bin/sops"]
-CMD ["--version"]
+CMD ["--version"]
--- a/src/tools/tofu/Containerfile
+++ b/src/tools/tofu/Containerfile
@ -1,21 +1,16 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/go:latest as go
-FROM ${REGISTRY}/busybox:latest as busybox 
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV VERSION=1.6.0-beta4
 ENV SRC_SITE=https://github.com/opentofu/opentofu/archive/refs/tags
 ENV SRC_HASH=b14f151839d90d06f95ba4257be159857606daf522d99e9285ddb248f814393f
 RUN echo ${SRC_SITE}/${VERSION}.tar.gz

 FROM base as fetch
-COPY --from=go . /
-COPY --from=ca-certificates . /
+COPY --from=stagex/go . /
+COPY --from=stagex/ca-certificates . /

 RUN set -eux; \
    wget ${SRC_SITE}/v${VERSION}.tar.gz; \
-    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c; 
+    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c;

 FROM fetch as build
 RUN tar -xvf v${VERSION}.tar.gz
@ -30,7 +25,7 @@ ENV GOSUMDB=sum.golang.org
 ENV CGO_ENABLED=0
 ENV GOHOSTOS=linux
 ENV GOHOSTARCH=amd64
-ENV GOFLAGS=-trimpath 
+ENV GOFLAGS=-trimpath
 RUN mkdir -p ${GOPATH}
 RUN go build -o bin/tofu ./cmd/tofu

@ -42,4 +37,4 @@ RUN cp bin/tofu /rootfs/usr/bin/
 FROM scratch as package
 COPY --from=install /rootfs/ /
 ENTRYPOINT ["/usr/bin/tofu"]
-CMD ["--version"]
+CMD ["--version"]
Author	SHA1	Message	Date
Lance Vick	6c9088c55c	remove custom image overrides from each Dockerfile, favoring build contexts	2024-02-05 02:36:12 -08:00
Lance Vick	cf04bfc6e6	don't gzip unless we have a valid tar file	2024-02-05 01:45:45 -08:00
Lance Vick	77452b3995	Dockerfile -> Containerfile	2024-02-05 01:45:20 -08:00
Lance Vick	833df686d6	only write tar if succesful	2024-02-02 15:10:11 -08:00
Lance Vick	92e0854916	fix rust readme	2024-02-01 21:34:06 -08:00
Lance Vick	82efcb642b	gzip in separate step to avoid pipefail issues	2024-02-01 17:49:13 -08:00
Lance Vick	253b6b122c	write OCIs to temp files initially so make does not assume success	2024-01-31 14:24:44 -08:00
Lance Vick	e052722c12	use system libunwind in rust, replacing nondeterministic in-tree version	2024-01-31 05:39:43 -08:00
Lance Vick	41469a293a	package gen_initramfs and cpio	2024-01-31 03:15:42 -08:00
Lance Vick	41befd1345	add initial gen_initramfs package	2024-01-31 02:57:52 -08:00
Lance Vick	b8a061797b	deterministic rustlib manifests	2024-01-30 15:05:05 -08:00
Lance Vick	17fd3c4002	more detail and examples in readme	2024-01-30 06:43:30 -08:00
Lance Vick	56dcd1b569	remove non-deterministic optimizations from python	2024-01-29 23:54:54 -08:00
Lance Vick	ade0dfad17	downgrade m4 to 1.4.18 to avoid deterministic build regression	2024-01-29 18:35:07 -08:00
Lance Vick	30106d26b8	NOCACHE in makefile	2024-01-29 16:23:48 -08:00
Lance Vick	f0b5724a34	deterministic perl support	2024-01-29 16:03:19 -08:00
Lance Vick	f4350e4cfe	NOCACHE support for make	2024-01-29 16:03:01 -08:00
Lance Vick	0b89c0ef11	Lock binutils to 2.35 which has no known determinism issues	2024-01-28 16:29:16 -08:00
Lance Vick	26d26259a8	default registry name to stagex as it shifts build hashes past stage0	2024-01-28 16:11:17 -08:00
Lance Vick	26d465af36	add default cmd for stage0	2024-01-28 02:44:35 -08:00
Lance Vick	a3168db8e2	default to local, but have mirrors available	2024-01-28 02:38:59 -08:00
Lance Vick	e1b1d9671f	rename to stagex	2024-01-28 02:24:33 -08:00
Lance Vick	71753e9f0b	autoload oci files after build	2024-01-27 22:23:34 -08:00
Lance Vick	9918246d44	fix single image annotations	2024-01-27 21:59:02 -08:00
Lance Vick	972be9b5b8	Standardize on OCI build output with compat checks	2024-01-27 21:49:38 -08:00
Lance Vick	8b56d90436	downgrade binutils in stage2/3 to avoid determinism regression	2024-01-26 17:22:49 -08:00
Lance Vick	ec0e91bdef	disable separate-code in binutils for stage3 for determinism	2024-01-25 02:46:38 -08:00
Lance Vick	2e18bf79a4	go: remove now uneeded busybox hack	2024-01-24 23:39:52 -08:00
Lance Vick	542da9ed5a	use generic naming for now	2024-01-24 18:32:26 -08:00
Lance Vick	1dc25316cb	correct musl box for alpine	2024-01-24 18:01:38 -08:00
Lance Vick	922859d2da	Add compaison to readme	2024-01-24 17:46:41 -08:00
Lance Vick	abc7389e4e	More detail on goals and bootstrapping	2024-01-24 05:35:49 -08:00
Lance Vick	b1bee039f0	update zlib to 1.3.1	2024-01-24 04:07:02 -08:00
Lance Vick	5de115e8da	disable libsanitizer in gcc which currently breaks build	2024-01-23 23:56:55 -08:00
Lance Vick	12a04643af	add musl dep to binutils	2024-01-23 15:53:21 -08:00
Lance Vick	6a29777dc3	build core with stage3	2024-01-23 15:46:02 -08:00
Lance Vick	8286e33e52	stage3: Use binutils AR instead of broken busybox ar	2024-01-23 15:10:42 -08:00
Lance Vick	355322796f	bootstrap: linux headers and various cleanup & path fixes	2024-01-23 09:50:50 -08:00