remove custom image overrides from each Dockerfile, favoring build contexts

Makefile

@@ -1,6 +1,18 @@
-export REGISTRY := local
 export PLATFORM := linux/amd64
 export BUILDER := $(shell which docker)
+export REGISTRY := stagex
+export NOCACHE ?= 0
+export MIRRORS := \
+	git.distrust.co \
+	hub.docker.com
+
+ifeq ($(NOCACHE), 1)
+NOCACHE_FLAG=--no-cache
+else
+NOCACHE_FLAG=
+endif
+export NOCACHE_FLAG
+
 clean_logs := $(shell rm *.log 2>&1 >/dev/null || :)
 
 include src/macros.mk
@@ -9,9 +21,12 @@ include src/core/build.mk
 include src/libs/build.mk
 include src/tools/build.mk
 
+compat:
+	./src/compat.sh
+
 DEFAULT_GOAL := default
 .PHONY: default
-default: bootstrap core
+default: compat bootstrap core
 
 out/graph.svg: Makefile
 	$(MAKE) -Bnd | make2graph | dot -Tsvg -o graph.svg

README.md

@@ -1,10 +1,105 @@
-# Packages
+# Stage[x]
 
-Minimalism and security first repository of reproducible and signed OCI images
-of common open source software packages built from source.
+Minimalism and security first repository of reproducible and multi-signed OCI
+images of common open source software toolchains full-source bootsrapped from
+Stage 0 all the way up.
 
-These can be used as a secure supply chain for anything from obtaining local
-tools, to bootstrapping a Linux distribution.
+If you want to build or deploy software on a foundation of minimalism and
+determinism with reasonable security, stagex might be the foundation you are
+looking for.
+
+## Usage
+
+You can do anything with these images you would with most any other musl based
+containerized linux distro, only with high supply chain integrity and
+determinism.
+
+For a full list of images see the "src" directory.
+
+### Examples
+
+Get a shell in our x86_64 Stage3 bootstrap image:
+
+```
+docker run -it stagex/stage3
+```
+
+Run a Python hello world:
+```
+docker run -i stagex/python -c "print('hello world')"
+```
+
+Make a hello world OCI container image with Rust:
+```
+FROM stagex/busybox as build
+COPY --from=stagex/rust . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/libunwind . /
+RUN printf 'fn main(){ println!("Hello World!"); }' > hello.rs
+RUN rustc hello.rs
+FROM scratch
+COPY --from=build /home/user/hello .
+CMD ["./hello"]
+```
+
+### Package Management
+
+Unlike most linux distros, stagex was built for determinism, minimalism, and
+containers first, and thus has no concept of a traditional package manager.
+
+In fact, stagex ships no first-party code at all. We just package things in the
+most "stock" way possible with exceptions only to maintain determinism.
+
+Every image is "from scratch" and contains an empty filesystem with the
+installed package.
+
+By default you always get the latest updates to dependencies on the fly, but
+you retain the option for bit-for-bit reproducible builds by locking any given
+dependency at a particular tag or image hash.
+
+If you want an old version of rust with a recent version of Gcc to work around
+some problem build, you can do that without resorting to low security \
+"curl | bash" style solutions like rustup.
+
+## Goals
+
+We built to support very high risk threat models where trusting any single
+system or maintainer in our software supply chain cannot be tolerated. That
+said, we should also function as a drop-in replacement for musl-based linux
+distributions for virtually any threat model.
+
+Our aim is to provide a reasonably secure set of toolchains for every major
+programming language to be the basis of your containers, build systems,
+firmware, secure enclaves, or hosting infrastructure.
+
+Not all of these goals are 100% realized yet, but should at least help you
+decide if this project is something you want to contribute to or keep an eye on
+for the future.
+
+### Integrity
+
+* Anyone can reproduce the entire tree with tools from their current distro
+* Hosted CI servers auto-sign confirmed deterministic builds
+    * Like NixOS
+* Maintainers sign all package additions/changes
+    * Like Gentoo, Debian, Fedora, Guix
+* Reviewers/Reproducers locally build and counter-sign all new binary packages
+    * No one does this, as far as we can tell
+
+### Minimalism
+
+* Based on musl libc
+    * Basis of successful minimal distros like Alpine, Adelie, Talos, Void
+    * Implemented with about 1/4 the code of glibc
+    * Required to produce portable static binaries in some languages
+    * Less prone to buffer overflows
+    * Puts being light, fast, and correct before compatibility
+* Package using tools you already have
+    * OCI build tool of choice (Docker, Buildah, Podman)
+    * Make (for dependency management)
+    * Prove hashes of bootstrap layer builds match before proceeding
+* Keep package definitions lean and readable with simple CLI and no magic
 
 ## Background
 
@@ -13,7 +108,7 @@ and the greatest of them may be that any system that is complex to review and
 assigns trust of significant components to single human points of failure, is
 doomed to have failure.
 
-Most linux distributions rely on complex package management systems for which
+Most Linux distributions rely on complex package management systems for which
 only a single implementation exists. They assign package signing privileges to
 individual maintainers at best. Modern popular distros often fail to even do
 this, having a central machine somewhere blindly signing all unsigned
@@ -39,47 +134,94 @@ container supply chain has single points of human failure, or review
 complexity, that makes it undesirable for threat models that assume any single
 human can be hacked or coerced.
 
-## Goals
+## Comparison
 
-Not all of these goals are realized yet, but should at least help you decide
-if this project is something you want to contribute to or keep an eye on for
-the future.
+A comparison of `stagex` to other distros in some of the areas we care about:
 
-### Integrity
+| Distro | Single-Sig | Multi-Sig |Diver.| Musl | Stage0 | Repro. | Rust Deps |
+|--------|------------|-----------|------|------|--------|--------|-----------|
+| Stagex | x          | p         | p    | x    | x      | x      | 4         |
+| Guix   | x          |           |      |      | x      | x      | 4         |
+| Nix    |            |           |      |      |        | p      | 4         |
+| Debian | x          |           |      |      |        | p      | 232       |
+| Arch   | x          |           |      |      |        | p      | 262       |
+| Fedora | x          |           |      |      |        |        | 166       |
+| Alpine |            |           |      |      | x      |        | 32        |
 
-* Anyone can reproduce the entire tree with tools from their current distro
-* Hosted CI servers auto-sign confirmed deterministic builds
-    * Like NixOS
-* Maintainers sign all package additions/changes
-    * Like Gentoo, Debian, Fedora, Guix
-* Reviewers locally build and counter-sign all new binary packages
-    * No one does this, as far as we can tell.
+### Legend
+
+- x = true
+- p = planned
+- “Single-sig”: one person, typically the maintainer, signed a given package
+    - Some distros blindly sign all packages with a shared accees server
+    - We see this as mostly security theater and do not include it here
+- “Multi-sig”: more than one human verified/signed every package artifact
+    - And ideally also signed the source
+- “Diver.”: Can the entire distro be built with a diversity of toolchains
+- “Musl”: entire distro and resulting artifacts are built against musl libc
+- “Stage0”: Can the entire distro be full-source-bootstrapped from Stage0
+- “Repro.”: Is the entire distro reproducible bit-for-bit identically
+- “Rust Deps”: the number of total dependencies installed to use rustc
+    - Rust is a worst case example for compiler deps and build complexity
+        - It is kind of a nightmare most distros skip
+        - See: [Guix documenting their process](https://guix.gnu.org/en/blog/2018/bootstrapping-rust/) (similar to ours)
+    - Nix, guix, and our distro get away with only 4 deps because:
+        - Rustc -does- need ~20 dependencies to build
+        - The final resulting rust builds can run standalone
+        - We only actually need musl libc, llvm, and gcc to build most projects
+
+### Signatures
+
+* Signatures are made by the PGP public keys in the "keys" directory
+* Signatures are made by any tool that implements "[Container Signature Format](https://github.com/containers/image/blob/main/docs/containers-signature.5.md)"
+    * We provide a minimal shell script implementation as a convenience
+    * Podman also [implements support](https://github.com/containers/podman/blob/main/docs/tutorials/image_signing.md) for this signature scheme
+* Signatures are "PR"ed and committed to this repo as a source of truth
+* Signatures can be mirrored to any HTTPS url
+* Container daemons can verify signatures on pull with a [containers-policy.json](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)
+* As a policy, we expect all published signers to:
+    * Maintain their PGP private keys offline and/or on personal HSMs
+        * E.g. Nitrokey, Yubikey, Leger, Trezor, etc.
+    * Maintain a public key in the "keys" folder of this repository
+    * Maintain a [keyoxide](https://keyoxide.org) profile self-certifying keys
+    * Maintain a [Hagrid](https://keys.openpgp.org) profile with verified UIDs
+    * Make best efforts to meet in person and sign each others keys
+    * Create signatures from highly trusted operating systems
+        * E.g Dedicated QubesOS VM, or a an airgapped signing system
 
 ### Reproducibility
 
-* Trust no single external source of binaries
-    * Bootstrap from two different third party signed distros
-* Never use external binaries
-    * Bootstrap from 0, always, even if it means going back in time
-        * Go, rust require extensive work to bootstrap all the way back to gcc
-        * Guix is the only distro that does this for rust to our knowledge
-* Full-Source Bootstrap from x86_64 assembly
-    * Take maximum advantage of the hard won wins by the Guix team
-    * Bootstrap from guile driver reproduced on multiple signed distros
+The only way to produce trustworthy packages is to make sure no single system
+or human is every trusted in the process of compiling them. Everything we
+release must be built deterministically. Further to avoid trusting any specific
+distro or platform, we must be able to reproduce even from wildly different
+toolchains, architectures, kernels, etc.
 
-### Minimalism
+Using OCI container images as our base packaging system helps a lot here by
+making it easy to throw away non-deterministic build stages and control many
+aspects of the build environment. Also, as a well documented spec, it allows
+our packages to (ideally) be built with totally different OCI toolchains such
+as Docker, Podman, Kaniko, or Buildah.
 
-* Based on musl libc
-    * Basis of successful minimal distros like Alpine, Adelie, Talos, Void
-    * Implemented with about 1/4 the code of glibc
-    * Required to produce portable static binaries in some languages
-    * Less prone to buffer overflows
-    * Puts being light, fast, and correct before compatibility
-* Package using tools you already have
-    * OCI build tool of choice (Docker, Buildah, Podman)
-    * Make (for dependency management)
-    * Prove hashes of bootstrap layer builds match before proceeding
-* Keep package definitions lean and readable with simple CLI and no magic
+This is only part of the story though, because being able to build
+deterministically means the compilers that compiler our code themselves must
+be bootstapped all the way from source code in a deterministic way.
+
+* Final distributable packages are always OCI container images
+    * OCI allows reproduction by totally different toolchains
+        E.g: Docker, Podman, Kaniko, or Buildah.
+    * OCI allows unlimited signatures on builds as part of the spec
+      * E.g: each party that chooses to reproduce adds their own signature
+* We always "Full Source Bootstrap" everything from 0
+    * [Stage0](src/bootstrap/stage0/Dockerfile): 387 bytes of x86 assembly built by 3 distros with the same hash
+        * Also the same hash many others get from wildly different toolchains
+        * Relevant: [Guix: Building From Source All The Way Down](https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/)
+    * [Stage1](src/bootstrap/stage1/Dockerfile): A full x86 toolchain built from stage0 via [live-bootstrap](https://github.com/fosslinux/live-bootstrap/blob/master/parts.rst)
+    * [Stage2](src/bootstrap/stage2/Dockerfile): Cross toolchain bridging us to modern 64 bit architectures
+    * [Stage3](src/bootstrap/stage3/Dockerfile): Native toolchain in native 64 bit architecture
+    * [Stage(x)](.): Later stages build the distributed packages in this repo
+
+For further reading see the [Bootstrappable Builds](https://bootstrappable.org/) Project.
 
 ## Building
 

src/bootstrap/build.mk

@@ -1,10 +1,18 @@
 .PHONY: bootstrap
 bootstrap: \
-	out/bootstrap.tgz \
-	out/stage0.tgz
-
-out/bootstrap.tgz: out/stage0.tgz
-	$(call build,bootstrap,bootstrap)
+	out/stage0.tgz \
+	out/stage1.tgz \
+	out/stage2.tgz \
+	out/stage3.tgz
 
 out/stage0.tgz:
 	$(call build,bootstrap,stage0)
+
+out/stage1.tgz: out/stage0.tgz
+	$(call build,bootstrap,stage1)
+
+out/stage2.tgz: out/stage1.tgz
+	$(call build,bootstrap,stage2)
+
+out/stage3.tgz: out/stage2.tgz
+	$(call build,bootstrap,stage3)

src/bootstrap/stage0/Containerfile

@@ -18,10 +18,12 @@ RUN set -eux; \
     echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c; \
     tar -xf stage0-posix-${VERSION}.tar.gz
 WORKDIR stage0-posix-${VERSION}
-RUN bootstrap-seeds/POSIX/x86/kaem-optional-seed
-RUN mkdir -p /rootfs && cp -R * /rootfs/
+RUN set -eux; \
+    bootstrap-seeds/POSIX/x86/kaem-optional-seed; \
+    mkdir -p /rootfs && cp -R * /rootfs/
 WORKDIR /rootfs
-RUN sha256sum x86/bin/* > hashes.txt
+RUN sha256sum x86/bin/* > hashes.txt; \
+    find . -exec touch -hcd "@0" "{}" +
 
 FROM archlinux as build2
 ARG VERSION
@@ -36,10 +38,12 @@ RUN set -eux; \
     echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c; \
     tar -xf stage0-posix-${VERSION}.tar.gz
 WORKDIR stage0-posix-${VERSION}
-RUN bootstrap-seeds/POSIX/x86/kaem-optional-seed
-RUN mkdir -p /rootfs && cp -R * /rootfs/
+RUN set -eux; \
+    bootstrap-seeds/POSIX/x86/kaem-optional-seed; \
+    mkdir -p /rootfs && cp -R * /rootfs/
 WORKDIR /rootfs
-RUN sha256sum x86/bin/* > hashes.txt
+RUN sha256sum x86/bin/* > hashes.txt; \
+    find . -exec touch -hcd "@0" "{}" +
 
 FROM alpine as build3
 ARG VERSION
@@ -54,10 +58,12 @@ RUN set -eux; \
     echo "${SRC_HASH}  stage0-posix-${VERSION}.tar.gz" | sha256sum -c; \
     tar -xf stage0-posix-${VERSION}.tar.gz
 WORKDIR stage0-posix-${VERSION}
-RUN bootstrap-seeds/POSIX/x86/kaem-optional-seed
-RUN mkdir -p /rootfs && cp -R * /rootfs/
+RUN set -eux; \
+    bootstrap-seeds/POSIX/x86/kaem-optional-seed; \
+    mkdir -p /rootfs && cp -R * /rootfs/
 WORKDIR /rootfs
-RUN sha256sum x86/bin/* > hashes.txt
+RUN sha256sum x86/bin/* > hashes.txt; \
+    find . -exec touch -hcd "@0" "{}" +
 
 FROM scratch as compare
 COPY --from=build1 /rootfs/ /a
@@ -90,3 +96,4 @@ COPY --from=build1 /rootfs /
 
 FROM scratch as package
 COPY --from=install / /
+CMD ["x86/bin/kaem","--version"]

src/bootstrap/stage1/Containerfile

@@ -1,9 +1,8 @@
-ARG REGISTRY=local
 ARG VERSION=fc6eeb6bd75ea0d0025a79ea9fe45614bd60ba14
 ARG SRC_SITE=https://codeload.github.com/lrvick/live-bootstrap/legacy.tar.gz
 ARG SRC_HASH=0c268b19cf9f4eefdaf45dab64ac393ccf8ee43de58f0721624cab358044bf78
 FROM debian@sha256:bac353db4cc04bc672b14029964e686cd7bad56fe34b51f432c1a1304b9928da as debian
-FROM ${REGISTRY}/stage0 as stage0
+FROM stagex/stage0 as stage0
 
 FROM debian as fetch
 ARG VERSION
@@ -20,30 +19,33 @@ RUN set -eux; \
     mv lrvick-live-bootstrap-* live-bootstrap
 WORKDIR live-bootstrap
 RUN ./download-distfiles.sh
+
+FROM fetch as config
 RUN set -eux; \
     mkdir -p /rootfs/external; \
     mv steps seed/* /rootfs/; \
-    mv distfiles /rootfs/external/
-RUN echo "\
+    mv distfiles /rootfs/external/; \
+    export CORES=$(nproc --all); \
+    echo "\
 FORCE_TIMESTAMPS=False\n\
 CHROOT=True\n\
 UPDATE_CHECKSUMS=False\n\
-JOBS=10\n\
+JOBS=${CORES}\n\
 SWAP_SIZE=0\n\
-FINAL_JOBS=10\n\
+FINAL_JOBS=${CORES}\n\
 INTERNAL_CI=False\n\
 INTERACTIVE=False\n\
 BARE_METAL=False\n\
 EXTERNAL_SOURCES=True\n\
 DISK=sda1\n\
 KERNEL_BOOTSTRAP=False\n\
-BUILD_KERNELS=False\
-" > /rootfs/steps/bootstrap.cfg
+BUILD_KERNELS=False" \
+    > /rootfs/steps/bootstrap.cfg
 RUN touch /rootfs/steps/lwext4-1.0.0-lb1/files/fiwix-file-list.txt
 
 FROM scratch as build
 COPY --from=stage0 / .
-COPY --from=fetch /rootfs .
+COPY --from=config /rootfs .
 ENV ARCH_DIR=x86
 ENV ARCH=x86
 RUN ["/x86/bin/kaem","--verbose","--strict","--file","./after.kaem"]
@@ -52,7 +54,8 @@ FROM build as install
 ENV PATH=/bin:/usr/sbin:/usr/bin
 RUN set -eux; \
     rm -rf /usr/lib/python*/__pycache__; \
-    mkdir -p /rootfs/etc /rootfs/home/user; \
+    mkdir -p /rootfs/etc /rootfs/home/user /rootfs/tmp; \
+    chown -R 1000:1000 /rootfs/home/user /rootfs/tmp; \
     cp -R $(ls -d /etc/* | grep -v '\(resolv.conf\|hosts\)') /rootfs/etc/; \
     cp -R lib usr bin var /rootfs/; \
     echo "user:x:1000:" > /rootfs/etc/group; \
@@ -63,8 +66,11 @@ FROM scratch as package
 COPY --from=install /rootfs /
 USER 1000:1000
 ENTRYPOINT ["/bin/bash"]
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV USER=user
+ENV HOME=/home/user
 ENV TZ=UTC
 ENV LANG=C.UTF-8
 ENV SOURCE_DATE_EPOCH=1
 ENV KCONFIG_NOTIMESTAMP=1
-ENV PS1="bootstrap$ "
+ENV PS1="stage1 $ "

src/bootstrap/stage2/Containerfile

@@ -0,0 +1,191 @@
+FROM stagex/stage1 as base
+ENV ARCH=x86_64
+ENV TARGET=${ARCH}-linux-musl
+ENV SYSROOT_DIR ${HOME}/build-sysroot
+ENV GCC_VERSION 13.1.0
+ENV GCC_FILE gcc-$GCC_VERSION.tar.xz
+ENV GCC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}
+ENV GCC_HASH 61d684f0aa5e76ac6585ad8898a2427aade8979ed5e7f85492286c4dfc13ee86
+ENV GCC_DIR ${HOME}/build-gcc
+ENV GCC_DEP_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV GMP_FILE gmp-6.2.1.tar.bz2
+ENV GMP_HASH eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c
+ENV MPFR_FILE mpfr-4.1.0.tar.bz2
+ENV MPFR_HASH feced2d430dd5a97805fa289fed3fc8ff2b094c02d05287fd6133e7f1f0ec926
+ENV MPC_FILE mpc-1.2.1.tar.gz
+ENV MPC_HASH 17503d2c395dfcf106b622dc142683c1199431d095367c6aacba6eec30340459
+ENV ISL_FILE isl-0.24.tar.bz2
+ENV ISL_HASH fcf78dd9656c10eb8cf9fbd5f59a0b6b01386205fe1934b3b287a0a1898145c0
+ENV MUSL_VERSION 1.2.4
+ENV MUSL_SITE http://musl.libc.org
+ENV MUSL_FILE musl-${MUSL_VERSION}.tar.gz
+ENV MUSL_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
+ENV MUSL_DIR ${HOME}/build-musl
+ENV LINUX_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
+ENV LINUX_VERSION 6.6
+ENV LINUX_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
+ENV LINUX_FILE linux-${LINUX_VERSION}.tar.xz
+ENV LINUX_DIR ${HOME}/build-linux
+ENV BINUTILS_VERSION 2.35
+ENV BINUTILS_SITE https://ftp.gnu.org/gnu/binutils
+ENV BINUTILS_FILE binutils-${BINUTILS_VERSION}.tar.xz
+ENV BINUTILS_HASH 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85
+ENV BINUTILS_DIR ${HOME}/build-binutils
+
+FROM base as fetch
+WORKDIR ${HOME}
+RUN set -eux; \
+    curl -OJ ${LINUX_SITE}/${LINUX_FILE}; \
+    echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c; \
+    curl -OJ ${GCC_SITE}/${GCC_FILE}; \
+    echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c; \
+    curl -OJ ${GCC_DEP_SITE}/${GMP_FILE}; \
+    echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c; \
+    curl -OJ ${GCC_DEP_SITE}/${MPFR_FILE}; \
+    echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c; \
+    curl -OJ ${GCC_DEP_SITE}/${MPC_FILE}; \
+    echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c; \
+    curl -OJ ${GCC_DEP_SITE}/${ISL_FILE}; \
+    echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c; \
+    curl -OJ ${MUSL_SITE}/releases/${MUSL_FILE}; \
+    echo "${MUSL_HASH} ${MUSL_FILE}" | sha256sum -c; \
+    curl -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}; \
+    echo "${BINUTILS_HASH} ${BINUTILS_FILE}" | sha256sum -c
+
+FROM fetch as extract
+RUN set -eux; \
+    tar -xf ${LINUX_FILE}; \
+    tar -xzf ${MUSL_FILE}; \
+    tar -xf ${BINUTILS_FILE}; \
+    tar -xf ${GCC_FILE}; \
+    cd gcc-${GCC_VERSION}; \
+    mv ../*.tar.* .; \
+    ./contrib/download_prerequisites
+
+FROM extract as build
+
+# Phase 1: Build cross binutils in build-binutils
+WORKDIR ${BINUTILS_DIR}
+RUN set -eux; \
+    ../binutils-${BINUTILS_VERSION}/configure \
+        --build=i386-unknown-linux-musl \
+        --host=i386-unknown-linux-musl \
+        --target=${TARGET} \
+        --with-sysroot=/${TARGET} \
+        --prefix= \
+        --libdir=/lib \
+        --disable-nls \
+        --disable-multilib \
+        --disable-plugins \
+        --disable-gprofng \
+        --enable-64-bit-bfd \
+        --enable-ld=default \
+        --enable-install-libiberty \
+        --enable-deterministic-archives; \
+    make all
+
+# Phase 2: Prepare build sysroot
+WORKDIR ${SYSROOT_DIR}
+RUN set -eux; \
+    mkdir -p include; \
+    ln -sf . usr; \
+    ln -sf lib lib32; \
+    ln -sf lib lib64
+
+# Phase 3: Build gcc (without libgcc) in build-gcc
+WORKDIR ${GCC_DIR}
+RUN set -eux; \
+    ../gcc-${GCC_VERSION}/configure \
+        --build=i386-unknown-linux-musl \
+        --host=i386-unknown-linux-musl \
+        --target=${TARGET} \
+        --with-build-sysroot=${SYSROOT_DIR} \
+        --with-sysroot=/${TARGET} \
+        --prefix= \
+        --libdir=/lib \
+        --disable-multilib \
+        --disable-bootstrap \
+        --disable-assembly \
+        --disable-libmudflap \
+        --disable-libsanitizer \
+        --disable-gnu-indirect-function \
+        --disable-libmpx \
+        --disable-werror \
+        --enable-languages=c,c++ \
+        --enable-tls \
+        --enable-initfini-array \
+        --enable-libstdcxx-time=rt \
+        --enable-deterministic-archives \
+        AR_FOR_TARGET=${BINUTILS_DIR}/binutils/ar \
+        AS_FOR_TARGET=${BINUTILS_DIR}/gas/as-new \
+        LD_FOR_TARGET=${BINUTILS_DIR}/ld/ld-new \
+        NM_FOR_TARGET=${BINUTILS_DIR}/binutils/nm-new \
+        OBJCOPY_FOR_TARGET=${BINUTILS_DIR}/binutils/objcopy \
+        OBJDUMP_FOR_TARGET=${BINUTILS_DIR}/binutils/objdump \
+        RANLIB_FOR_TARGET=${BINUTILS_DIR}/binutils/ranlib \
+        READELF_FOR_TARGET=${BINUTILS_DIR}/binutils/readelf \
+        STRIP_FOR_TARGET=${BINUTILS_DIR}/binutils/strip-new; \
+    make all-gcc
+
+# Phase 4: Install musl libc headers to build-sysroot for use by libgcc
+WORKDIR ${MUSL_DIR}
+RUN set -eux; \
+    ../musl-${MUSL_VERSION}/configure \
+        CC="${GCC_DIR}/gcc/xgcc -B ${GCC_DIR}/gcc" \
+        LIBCC="${GCC_DIR}/${TARGET}/libgcc/libgcc.a" \
+        --prefix= \
+        --host=${TARGET}; \
+    make DESTDIR=${SYSROOT_DIR} install-headers
+
+# Phase 5: Compile libgcc
+WORKDIR ${GCC_DIR}
+RUN make MAKE="make enable_shared=no" all-target-libgcc
+
+# Phase 5: Compile musl libc and install to sysroot
+WORKDIR ${MUSL_DIR}
+RUN set -eux; \
+    make \
+        AR=${BINUTILS_DIR}/binutils/ar \
+        RANLIB=${BINUTILS_DIR}/binutils/ranlib; \
+    make DESTDIR=${SYSROOT_DIR} install
+
+# Phase 6: Compile remaining gcc targets
+WORKDIR ${GCC_DIR}
+RUN make all
+
+# Phase 7: Generate linux headers
+WORKDIR ${HOME}/linux-${LINUX_VERSION}
+RUN set -eux; \
+    make ARCH=${ARCH} headers; \
+    find usr/include -name '.*' -delete; \
+    rm usr/include/Makefile; \
+    rm usr/include/headers_check.pl; \
+    cp -rv usr/include ${LINUX_DIR}
+
+FROM build as install
+WORKDIR ${HOME}
+USER 0:0
+COPY --from=stage1 . /rootfs/
+RUN set -eux; \
+    rm /rootfs/lib; \
+    env -C build-musl make DESTDIR=/rootfs/${TARGET} install; \
+    env -C build-gcc make DESTDIR=/rootfs/ install; \
+    env -C build-binutils make DESTDIR=/rootfs/ install; \
+    cp -Rv ${LINUX_DIR}/* /rootfs/${TARGET}/include; \
+    ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/libc.so; \
+    ln -s /usr/lib/ld-musl-i386.so.1 /rootfs/lib/ld-musl-i386.so.1; \
+    ln -s /${TARGET}/lib/ld-musl-${ARCH}.so.1 /rootfs/lib/ld-musl-${ARCH}.so.1; \
+    find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs/ /
+USER 1000:1000
+ENTRYPOINT ["/bin/bash"]
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV USER=user
+ENV HOME=/home/user
+ENV TZ=UTC
+ENV LANG=C.UTF-8
+ENV SOURCE_DATE_EPOCH=1
+ENV KCONFIG_NOTIMESTAMP=1
+ENV PS1="stage2 $ "

src/bootstrap/stage3/Containerfile

@@ -0,0 +1,237 @@
+FROM stagex/stage2 as base
+ENV ARCH=x86_64
+ENV TARGET=${ARCH}-linux-musl
+ENV BUILD=i386-unknown-linux-musl
+ENV KCONFIG_NOTIMESTAMP=1
+ENV MUSL_VERSION 1.2.4
+ENV MUSL_SITE http://musl.libc.org/releases
+ENV MUSL_FILE musl-${MUSL_VERSION}.tar.gz
+ENV MUSL_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
+ENV MUSL_DIR=${HOME}/build-musl
+ENV BUSYBOX_VERSION=1.35.0
+ENV BUSYBOX_HASH=faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+ENV BUSYBOX_SITE=https://busybox.net/downloads
+ENV BUSYBOX_FILE=busybox-${BUSYBOX_VERSION}.tar.bz2
+ENV BUSYBOX_DIR ${HOME}/build-busybox
+ENV BINUTILS_VERSION 2.35
+ENV BINUTILS_HASH 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85
+ENV BINUTILS_SITE https://ftp.gnu.org/gnu/binutils
+ENV BINUTILS_FILE binutils-${BINUTILS_VERSION}.tar.xz
+ENV BINUTILS_DIR ${HOME}/build-binutils
+ENV MAKE_VERSION 4.4
+ENV MAKE_HASH 581f4d4e872da74b3941c874215898a7d35802f03732bdccee1d4a7979105d18
+ENV MAKE_SITE https://ftp.gnu.org/gnu/make
+ENV MAKE_FILE make-${MAKE_VERSION}.tar.gz
+ENV MAKE_DIR ${HOME}/build-make
+ENV GCC_VERSION 13.1.0
+ENV GCC_HASH 61d684f0aa5e76ac6585ad8898a2427aade8979ed5e7f85492286c4dfc13ee86
+ENV GCC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${GCC_VERSION}
+ENV GCC_FILE gcc-$GCC_VERSION.tar.xz
+ENV GCC_DIR ${HOME}/build-gcc
+ENV GMP_VERSION 6.2.1
+ENV GMP_HASH eae9326beb4158c386e39a356818031bd28f3124cf915f8c5b1dc4c7a36b4d7c
+ENV GMP_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV GMP_FILE gmp-${GMP_VERSION}.tar.bz2
+ENV GMP_DIR ${HOME}/build-gmp
+ENV MPFR_VERSION 4.1.0
+ENV MPFR_HASH feced2d430dd5a97805fa289fed3fc8ff2b094c02d05287fd6133e7f1f0ec926
+ENV MPFR_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV MPFR_FILE mpfr-${MPFR_VERSION}.tar.bz2
+ENV MPFR_DIR ${HOME}/build-mpfr
+ENV MPC_VERSION 1.2.1
+ENV MPC_HASH 17503d2c395dfcf106b622dc142683c1199431d095367c6aacba6eec30340459
+ENV MPC_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV MPC_FILE mpc-${MPC_VERSION}.tar.gz
+ENV MPC_DIR ${HOME}/build-mpc
+ENV ISL_VERSION 0.24
+ENV ISL_HASH fcf78dd9656c10eb8cf9fbd5f59a0b6b01386205fe1934b3b287a0a1898145c0
+ENV ISL_SITE https://gcc.gnu.org/pub/gcc/infrastructure/
+ENV ISL_FILE isl-${ISL_VERSION}.tar.bz2
+ENV ISL_DIR ${HOME}/build-isl
+ENV LINUX_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
+ENV LINUX_VERSION 6.6
+ENV LINUX_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
+ENV LINUX_FILE linux-${LINUX_VERSION}.tar.xz
+ENV LINUX_DIR ${HOME}/build-linux
+
+FROM base as fetch
+WORKDIR /home/user
+RUN set -eux; \
+    curl -OJ ${LINUX_SITE}/${LINUX_FILE}; \
+    echo "${LINUX_HASH}  ${LINUX_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MUSL_SITE}/${MUSL_FILE}; \
+    echo "${MUSL_HASH}  ${MUSL_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${BUSYBOX_SITE}/${BUSYBOX_FILE}; \
+    echo "${BUSYBOX_HASH}  ${BUSYBOX_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${BINUTILS_SITE}/${BINUTILS_FILE}; \
+    echo "${BINUTILS_HASH}  ${BINUTILS_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MAKE_SITE}/${MAKE_FILE}; \
+    echo "${MAKE_HASH}  ${MAKE_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${GCC_SITE}/${GCC_FILE}; \
+    echo "${GCC_HASH}  ${GCC_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${GMP_SITE}/${GMP_FILE}; \
+    echo "${GMP_HASH}  ${GMP_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MPFR_SITE}/${MPFR_FILE}; \
+    echo "${MPFR_HASH}  ${MPFR_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${MPC_SITE}/${MPC_FILE}; \
+    echo "${MPC_HASH}  ${MPC_FILE}" | sha256sum -c; \
+    curl --insecure -OJ ${ISL_SITE}/${ISL_FILE}; \
+    echo "${ISL_HASH}  ${ISL_FILE}" | sha256sum -c
+
+FROM fetch as extract
+RUN set -eux; \
+    tar -xf ${LINUX_FILE}; \
+    tar -kxzf ${MUSL_FILE}; \
+    tar -kxjf ${BUSYBOX_FILE}; \
+    tar -kxf ${BINUTILS_FILE}; \
+    tar -kxzf ${MAKE_FILE}; \
+    tar -kxf ${GCC_FILE}
+
+FROM extract as build
+WORKDIR ${MUSL_DIR}
+RUN set -eux; \
+    ../musl-${MUSL_VERSION}/configure \
+        --prefix=/usr \
+        --build=${BUILD} \
+        --host=${TARGET}; \
+    make
+WORKDIR ${BINUTILS_DIR}
+RUN set -eux; \
+    ../binutils-${BINUTILS_VERSION}/configure \
+        --build=${BUILD} \
+        --host=${TARGET} \
+        --prefix=/usr \
+        --bindir=/usr/bin \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --sysconfdir=/etc \
+        --disable-nls \
+        --disable-multilib \
+        --disable-plugins \
+        --disable-gprofng \
+        --enable-64-bit-bfd \
+        --enable-ld=default \
+        --enable-install-libiberty \
+        --enable-deterministic-archives; \
+    make
+WORKDIR ${MAKE_DIR}
+RUN set -ex; \
+    ../make-${MAKE_VERSION}/configure \
+        --build=${BUILD} \
+        --host=${TARGET} \
+        --prefix=/usr \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --disable-nls; \
+	make
+WORKDIR ${GCC_DIR}
+RUN set -eux; \
+    cp ../*.tar.* ../gcc-${GCC_VERSION}; \
+    env -C ${HOME}/gcc-${GCC_VERSION} ./contrib/download_prerequisites; \
+    ../gcc-${GCC_VERSION}/configure \
+        --build=${BUILD} \
+        --host=${TARGET} \
+        --target=${TARGET} \
+        --prefix=/usr \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info \
+        --libdir=/usr/lib \
+        --disable-cet \
+        --disable-fixed-point \
+        --disable-libstdcxx-pch \
+        --disable-multilib \
+        --disable-libsanitizer \
+        --disable-nls \
+        --disable-werror \
+        --enable-__cxa_atexit \
+        --enable-default-pie \
+        --enable-default-ssp \
+        --enable-languages=c,c++ \
+        --enable-link-serialization=2 \
+        --enable-linker-build-id; \
+    make
+WORKDIR ${BUSYBOX_DIR}
+RUN set -eux; \
+    setConfs=' \
+        CONFIG_LAST_SUPPORTED_WCHAR=0 \
+        CONFIG_STATIC=y \
+    '; \
+    unsetConfs=' \
+        CONFIG_FEATURE_SYNC_FANCY \
+        CONFIG_FEATURE_HAVE_RPC \
+        CONFIG_FEATURE_INETD_RPC \
+        CONFIG_FEATURE_UTMP \
+        CONFIG_FEATURE_WTMP \
+    '; \
+    make \
+        -f ../busybox-${BUSYBOX_VERSION}/Makefile \
+        KBUILD_SRC=../busybox-${BUSYBOX_VERSION} \
+        CROSS_COMPILE=${TARGET}- \
+        defconfig; \
+    for conf in $unsetConfs; do \
+        sed -i \
+            -e "s!^$conf=.*\$!# $conf is not set!" \
+            .config; \
+    done; \
+    for confV in $setConfs; do \
+        conf="${confV%=*}"; \
+        sed -i \
+            -e "s!^$conf=.*\$!$confV!" \
+            -e "s!^# $conf is not set\$!$confV!" \
+            .config; \
+        if ! grep -q "^$confV\$" .config; then \
+            echo "$confV" >> .config; \
+        fi; \
+    done; \
+    make oldconfig CROSS_COMPILE=${TARGET}-; \
+    for conf in $unsetConfs; do \
+        ! grep -q "^$conf=" .config; \
+    done; \
+    for confV in $setConfs; do \
+        grep -q "^$confV\$" .config; \
+    done; \
+    make CROSS_COMPILE=${TARGET}-
+WORKDIR ${HOME}/linux-${LINUX_VERSION}
+RUN set -eux; \
+    make ARCH=${ARCH} headers; \
+    find usr/include -name '.*' -delete; \
+    rm usr/include/Makefile; \
+    rm usr/include/headers_check.pl; \
+    cp -rv usr/include ${LINUX_DIR}
+
+FROM build as install
+USER 0:0
+RUN set -eux; \
+    env -C ${BUSYBOX_DIR} make \
+        CROSS_COMPILE=${TARGET}- \
+        CONFIG_PREFIX=/rootfs \
+        install ; \
+    env -C ${MUSL_DIR} make DESTDIR=/rootfs install; \
+    env -C ${BINUTILS_DIR} make DESTDIR=/rootfs install; \
+    env -C ${MAKE_DIR} make DESTDIR=/rootfs install; \
+    env -C ${GCC_DIR} make DESTDIR=/rootfs install; \
+    cp -Rv ${LINUX_DIR}/* /rootfs/usr/include/; \
+    cd /rootfs/; \
+    ln -sT /lib lib64; \
+    mkdir -p etc tmp var/tmp home/user; \
+    echo "user:x:1000:" > etc/group; \
+    echo "user:x:1000:1000::/home/user:/bin/sh" > etc/passwd; \
+    chown -R 1000:1000 tmp var/tmp home/user; \
+    find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
+USER 1000:1000
+ENTRYPOINT ["/bin/sh"]
+ENV ARCH=x86_64
+ENV TARGET=${ARCH}-linux-musl
+ENV HOST=${TARGET}
+ENV BUILD=${TARGET}
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ENV USER=user
+ENV HOME=/home/user
+ENV TZ=UTC
+ENV LANG=C.UTF-8
+ENV SOURCE_DATE_EPOCH=1
+ENV KCONFIG_NOTIMESTAMP=1
+ENV PS1="stage3 $ "

src/compat.sh

@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+set -e
+
+readonly MIN_BASH_VERSION=5
+readonly MIN_DOCKER_VERSION=25
+readonly MIN_JQ_VERSION=1.6
+readonly MIN_GPG_VERSION=2.2
+
+### Exit with error message
+die() {
+	echo "$@" >&2
+	exit 1
+}
+
+### Bail and instruct user on missing package to install for their platform
+die_pkg() {
+	local -r package=${1?}
+	local -r version=${2?}
+	local install_cmd
+	case "$OSTYPE" in
+		linux*)
+			if command -v "apt" >/dev/null; then
+				install_cmd="apt install ${package}"
+			elif command -v "yum" >/dev/null; then
+				install_cmd="yum install ${package}"
+			elif command -v "pacman" >/dev/null; then
+				install_cmd="pacman -Ss ${package}"
+			elif command -v "emerge" >/dev/null; then
+				install_cmd="emerge ${package}"
+			elif command -v "nix-env" >/dev/null; then
+				install_cmd="nix-env -i ${package}"
+			fi
+		;;
+		bsd*)     install_cmd="pkg install ${package}" ;;
+		darwin*)  install_cmd="port install ${package}" ;;
+		*) die "Error: Your operating system is not supported" ;;
+	esac
+	echo "Error: ${package} ${version}+ does not appear to be installed." >&2
+	[ -n "$install_cmd" ] && echo "Try: \`${install_cmd}\`"  >&2
+	exit 1
+}
+
+### Check if actual binary version is >= minimum version
+check_version(){
+	local pkg="${1?}"
+	local have="${2?}"
+	local need="${3?}"
+	local i ver1 ver2 IFS='.'
+	[[ "$have" == "$need" ]] && return 0
+	read -r -a ver1 <<< "$have"
+	read -r -a ver2 <<< "$need"
+	for ((i=${#ver1[@]}; i<${#ver2[@]}; i++));
+		do ver1[i]=0;
+	done
+	for ((i=0; i<${#ver1[@]}; i++)); do
+		[[ -z ${ver2[i]} ]] && ver2[i]=0
+		((10#${ver1[i]} > 10#${ver2[i]})) && return 0
+		((10#${ver1[i]} < 10#${ver2[i]})) && die_pkg "${pkg}" "${need}"
+	done
+}
+
+### Check if required binaries are installed at appropriate versions
+check_tools(){
+	if [ -z "${BASH_VERSINFO[0]}" ] \
+	|| [ "${BASH_VERSINFO[0]}" -lt "${MIN_BASH_VERSION}" ]; then
+		die_pkg "bash" "${MIN_BASH_VERSION}"
+	fi
+	for cmd in "$@"; do
+		command -v "$1" >/dev/null || die "Error: $cmd not found"
+		case $cmd in
+			jq)
+				version=$(jq -V | sed 's/.*-//g')
+				check_version "jq" "${version}" "${MIN_JQ_VERSION}"
+			;;
+			gpg)
+				version=$(gpg --version | head -n1 | cut -d" " -f3)
+				check_version "gnupg" "${version}" "${MIN_GPG_VERSION}"
+			;;
+            docker)
+				version=$(docker version -f json | jq -r '.Server.Version')
+				check_version "docker" "${version}" "${MIN_DOCKER_VERSION}"
+			;;
+		esac
+	done
+}
+
+check_tools jq gpg docker;
+
+docker info -f '{{ .DriverStatus }}' \
+    | grep "io.containerd.snapshotter.v1" >/dev/null \
+|| die "Error: Docker Engine is not using containerd for image storage"

src/core/autoconf/Containerfile

@@ -1,13 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/perl:latest as perl
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE https://ftp.gnu.org/gnu/autoconf
 ENV SRC_VERSION 2.71
 ENV SRC_HASH f14c83cfebcc9427f2c3cea7258bd90df972d92eb26752da4ddad81c87a0faa4
@@ -21,12 +12,12 @@ RUN set -eux; \
 FROM fetch as build
 RUN tar -xf ${SRC_FILE}
 WORKDIR autoconf-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=m4 . /
-COPY --from=perl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/m4 . /
+COPY --from=stagex/perl . /
 ENV M4=/usr/bin/m4
 RUN set -eux; \
     ./configure \
@@ -36,7 +27,7 @@ RUN set -eux; \
 from build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=perl . /rootfs/
+COPY --from=stagex/perl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/automake/Containerfile

@@ -1,14 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/perl:latest as perl
-FROM ${REGISTRY}/autoconf:latest as autoconf
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/automake
 ENV SRC_VERSION=1.16.5
 ENV SRC_HASH=f01d58cd6d9d77fbdca9eb4bbd5ead1988228fdb73d6f7a201f5f8d6b118b469
@@ -20,13 +10,13 @@ RUN tar -xf automake-${SRC_VERSION}.tar.xz
 
 FROM fetch as build
 WORKDIR automake-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=perl . /
-COPY --from=m4 . /
-COPY --from=autoconf . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/perl . /
+COPY --from=stagex/m4 . /
+COPY --from=stagex/autoconf . /
 RUN set -eux; \
     ./configure \
         --prefix=/usr; \
@@ -35,8 +25,8 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
-COPY --from=perl . /rootfs/
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/perl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/bash/Containerfile

@@ -1,11 +1,4 @@
-ARG REGISTRY=local
-from ${REGISTRY}/binutils as binutils
-from ${REGISTRY}/gcc as gcc
-from ${REGISTRY}/musl as musl
-from ${REGISTRY}/make as make
-from ${REGISTRY}/busybox as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/bash
 ENV SRC_VERSION=5.2.21
 ENV SRC_HASH=c8e31bdc59b69aaffc5b36509905ba3e5cbb12747091d27b4b977f078560d5b8
@@ -19,10 +12,10 @@ RUN set -eux; \
 FROM fetch as build
 RUN tar -xzf ${SRC_FILE}
 WORKDIR bash-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
 RUN set -eux; \
     mkdir -p /home/user/rootfs/lib; \
     ./configure \
@@ -41,7 +34,7 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/binutils/Containerfile

@@ -1,15 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE https://ftp.gnu.org/gnu/binutils
-ENV SRC_VERSION 2.41
-ENV SRC_HASH ae9a5789e23459e59606e6714723f2d3ffc31c03174191ef0d015bdf06007450
+ENV SRC_VERSION 2.35
+ENV SRC_HASH 1b11659fb49e20e18db460d44485f09442c8c56d5df165de9461eb09c8302f85
 
 FROM base as fetch
+WORKDIR ${HOME}
 RUN wget ${SRC_SITE}/binutils-${SRC_VERSION}.tar.xz
-RUN echo "${SRC_HASH} binutils-${SRC_VERSION}.tar.xz" | sha256sum -c
+RUN echo "${SRC_HASH}  binutils-${SRC_VERSION}.tar.xz" | sha256sum -c
 
 FROM fetch as build
 RUN tar -xf binutils-${SRC_VERSION}.tar.xz
@@ -52,7 +49,7 @@ RUN set -ex; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR="/rootfs" install;
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/build.mk

@@ -7,21 +7,21 @@ core: \
 	out/gcc.tgz \
 	out/llvm.tgz
 
-out/musl.tgz: out/bootstrap.tgz
+out/musl.tgz: out/stage3.tgz
 	$(call build,core,musl)
 
-out/busybox.tgz: out/bootstrap.tgz
+out/busybox.tgz: out/stage3.tgz
 	$(call build,core,busybox)
 
-out/binutils.tgz: out/bootstrap.tgz
+out/binutils.tgz: out/stage3.tgz out/musl.tgz
 	$(call build,core,binutils)
 
-out/gcc.tgz: out/bootstrap.tgz out/musl.tgz
-	$(call build,core,gcc)
-
-out/make.tgz: out/bootstrap.tgz
+out/make.tgz: out/stage3.tgz
 	$(call build,core,make)
 
+out/gcc.tgz: out/stage3.tgz out/binutils.tgz out/musl.tgz
+	$(call build,core,gcc)
+
 out/bash.tgz: \
 	out/busybox.tgz \
 	out/gcc.tgz \

src/core/busybox/Containerfile

@@ -1,14 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/bootstrap as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE=https://busybox.net/downloads
-ENV SRC_VERSION=1.35.0
-ENV SRC_HASH=faeeb244c35a348a334f4a59e44626ee870fb07b6884d68c10ae8bc19f83a694
+ENV SRC_VERSION=1.36.1
+ENV SRC_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 ENV SRC_FILE=busybox-${SRC_VERSION}.tar.bz2
 ENV KCONFIG_NOTIMESTAMP=1
 
 FROM base as fetch
+WORKDIR ${HOME}
 RUN set -eux; \
     wget ${SRC_SITE}/${SRC_FILE}; \
     echo "${SRC_HASH}  ${SRC_FILE}" | sha256sum -c
@@ -18,9 +16,6 @@ RUN tar -xjf ${SRC_FILE}
 WORKDIR busybox-${SRC_VERSION}
 RUN set -eux; \
 	setConfs=' \
-		CONFIG_AR=y \
-		CONFIG_FEATURE_AR_CREATE=y \
-		CONFIG_FEATURE_AR_LONG_FILENAMES=y \
 		CONFIG_LAST_SUPPORTED_WCHAR=0 \
 		CONFIG_STATIC=y \
 	'; \
@@ -54,7 +49,7 @@ RUN set -eux; \
 	for confV in $setConfs; do \
 		grep -q "^$confV\$" .config; \
 	done; \
-    make
+	make
 
 FROM build as install
 USER 0:0
@@ -80,4 +75,4 @@ ENV TZ=UTC
 ENV LANG=C.UTF-8
 ENV SOURCE_DATE_EPOCH=1
 ENV KCONFIG_NOTIMESTAMP=1
-ENV PS1="busybox$ "
+ENV PS1="stage4 $ "

src/core/cmake/Containerfile

@@ -1,26 +1,14 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/curl:latest as curl
-FROM ${REGISTRY}/ninja:latest as ninja
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/linux-headers:latest as linux-headers
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://cmake.org/files
 ENV SRC_VERSION=3.27.8
 ENV SRC_HASH=fece24563f697870fbb982ea8bf17482c9d5f855d8c9bf0b82463d76c9e8d0cc
-COPY --from=binutils . /
-COPY --from=ninja . /
-COPY --from=musl . /
-COPY --from=make . /
-COPY --from=linux-headers . /
-COPY --from=gcc . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/ninja . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/make . /
+COPY --from=stagex/linux-headers . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /
 
 FROM base as fetch
 RUN wget --no-check-certificate ${SRC_SITE}/v3.27/cmake-${SRC_VERSION}.tar.gz
@@ -44,11 +32,11 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN DESTDIR=/rootfs bin/cmake -P cmake_install.cmake
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=musl /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
-COPY --from=openssl /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/musl /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/openssl /usr/lib/* /rootfs/usr/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/gcc/Containerfile

@@ -1,9 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV VERSION 12.2.0
 ENV SRC_FILE gcc-$VERSION.tar.xz
 ENV SRC_SITE https://mirrors.kernel.org/gnu/gcc/gcc-${VERSION}
@@ -19,6 +14,7 @@ ENV ISL_FILE isl-0.24.tar.bz2
 ENV ISL_HASH fcf78dd9656c10eb8cf9fbd5f59a0b6b01386205fe1934b3b287a0a1898145c0
 
 FROM base as fetch
+WORKDIR ${HOME}
 RUN set -eux; \
     wget ${SRC_SITE}/${SRC_FILE}; \
     echo "${SRC_HASH}  ${SRC_FILE}" | sha256sum -c; \
@@ -36,41 +32,44 @@ RUN tar -xf ${SRC_FILE}
 WORKDIR gcc-${VERSION}
 RUN set -eux; \
     mv ../*.tar.* .; \
-	./contrib/download_prerequisites; \
-	./configure \
+    ./contrib/download_prerequisites; \
+    ./configure \
         --target=x86_64-linux-musl \
-		--build=x86_64-linux-musl \
-		--host=x86_64-linux-musl \
+        --build=x86_64-linux-musl \
+        --host=x86_64-linux-musl \
         --prefix=/usr \
         --mandir=/usr/share/man \
         --infodir=/usr/share/info \
         --libdir=/usr/lib \
         --disable-cet \
-		--disable-fixed-point \
-		--disable-libstdcxx-pch \
-		--disable-multilib \
-		--disable-nls \
-		--disable-werror \
+        --disable-fixed-point \
+        --disable-libstdcxx-pch \
+        --disable-multilib \
+        --disable-libsanitizer \
+        --disable-nls \
+        --disable-werror \
         --enable-__cxa_atexit \
-		--enable-default-pie \
-		--enable-default-ssp \
-		--enable-languages=c,c++ \
-		--enable-link-serialization=2 \
-		--enable-linker-build-id; \
-	make -j "$(nproc)"
+        --enable-default-pie \
+        --enable-default-ssp \
+        --enable-languages=c,c++ \
+        --enable-link-serialization=2 \
+        --enable-linker-build-id; \
+    make
+
+from build as package
 
 FROM build as install
 USER 0:0
 RUN set -eux; \
     make DESTDIR=/rootfs install-strip; \
     ln -s gcc /rootfs/usr/bin/cc
-COPY --from=musl /lib/* /rootfs/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM busybox as test
 COPY --from=install /rootfs /
-COPY --from=binutils . /
-COPY --from=musl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/musl . /
 ADD test.c .
 RUN set -eux; \
     gcc test.c -static -o main; \

src/core/go/Containerfile

@@ -1,12 +1,4 @@
-ARG REGISTRY=local
-ARG BUSYBOX_VERSION=latest
-FROM ${REGISTRY}/bash:latest as bash
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/busybox:${BUSYBOX_VERSION} as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV GOOS=linux
 ENV CGO_ENABLED=0
 ENV VERSION=1.21.4
@@ -18,15 +10,10 @@ ENV SRC_HASH_BOOTSTRAP_2=e25c9ab72d811142b7f41ff6da5165fec2d1be5feec3ef2c66bc0bd
 ENV VERSION_BOOTSTRAP_1=1.4-bootstrap-20171003
 ENV SRC_SITE_BOOTSTRAP_1=https://dl.google.com/go
 ENV SRC_HASH_BOOTSTRAP_1=f4ff5b5eb3a3cae1c993723f3eab519c5bae18866b5e5f96fe1102f0cb5c3e52
-COPY --from=gcc . /
-COPY --from=gcc . /
-COPY --from=bash . /
-COPY --from=musl . /
-COPY --from=binutils . /
-# Hack to work around busybox ar breaking the build
-USER 0:0
-RUN rm /bin/ar
-USER 1000:1000
+COPY --from=stagex/gcc . /
+COPY --from=stagex/bash . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/binutils . /
 
 FROM base as fetch
 RUN set -eux; \

src/core/libtool/Containerfile

@@ -1,22 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/bash:latest as bash
-FROM ${REGISTRY}/sed:latest as sed
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/libtool
 ENV SRC_VERSION=2.4.6
 ENV SRC_HASH=7c87a8c2c8c0fc9cd5019e402bed4292462d00a718a7cd5f11218153bf28b26f
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=m4 . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/m4 . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/libtool-${SRC_VERSION}.tar.xz
@@ -33,9 +23,9 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
-COPY --from=bash . /rootfs
-COPY --from=sed . /rootfs
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/bash . /rootfs
+COPY --from=stagex/sed . /rootfs
 RUN ln -s /bin/bash /rootfs/bin/sh
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 

src/core/libunwind/Containerfile

@@ -1,24 +1,14 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc as gcc
-FROM ${REGISTRY}/binutils as binutils
-FROM ${REGISTRY}/musl as musl
-FROM ${REGISTRY}/make as make
-FROM ${REGISTRY}/autoconf as autoconf
-FROM ${REGISTRY}/automake as automake
-FROM ${REGISTRY}/libtool as libtool
-FROM ${REGISTRY}/busybox as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://github.com/libunwind/libunwind/releases/download
 ENV SRC_VERSION=1.7.2
 ENV SRC_HASH=a18a6a24307443a8ace7a8acc2ce79fbbe6826cd0edf98d6326d0225d6a5d6e6
-COPY --from=gcc . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=binutils . /
-COPY --from=autoconf . /
-COPY --from=automake . /
-COPY --from=libtool . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/autoconf . /
+COPY --from=stagex/automake . /
+COPY --from=stagex/libtool . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/v${SRC_VERSION}/libunwind-${SRC_VERSION}.tar.gz

src/core/linux-headers/Containerfile

@@ -1,13 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/bootstrap:latest as base
+FROM stagex/stage3 as base
+WORKDIR ${HOME}
 ENV SRC_SITE https://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
 ENV SRC_VERSION 6.6
 ENV SRC_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/linux-${SRC_VERSION}.tar.xz
-RUN echo "${SRC_HASH} linux-${SRC_VERSION}.tar.xz" | sha256sum -c
+RUN echo "${SRC_HASH}  linux-${SRC_VERSION}.tar.xz" | sha256sum -c
 
 FROM fetch as build
 RUN tar -xf linux-${SRC_VERSION}.tar.xz

src/core/llvm/Containerfile

@@ -1,31 +1,19 @@
-ARG REGISTRY=local
 ARG VERSION=16.0.6
-FROM ${REGISTRY}/gcc as gcc
-FROM ${REGISTRY}/binutils as binutils
-FROM ${REGISTRY}/musl as musl
-FROM ${REGISTRY}/openssl as openssl
-FROM ${REGISTRY}/python as python
-FROM ${REGISTRY}/py-setuptools as py-setuptools
-FROM ${REGISTRY}/cmake as cmake
-FROM ${REGISTRY}/ninja as ninja
-FROM ${REGISTRY}/busybox as busybox
-FROM ${REGISTRY}/openssl as openssl
-
-FROM busybox as base
+FROM stagex/busybox as base
 ARG VERSION
 ENV VERSION=${VERSION}
 ENV SRC_VERSION=${VERSION}
 ENV SRC_SITE=https://github.com/llvm/llvm-project/releases/download
 ENV SRC_HASH_13_0_1=326335a830f2e32d06d0a36393b5455d17dc73e0bd1211065227ee014f92cbf8
 ENV SRC_HASH_16_0_6=ce5e71081d17ce9e86d7cbcfa28c4b04b9300f8fb7e78422b1feb6bc52c3028e
-COPY --from=binutils . /
-COPY --from=cmake . /
-COPY --from=ninja . /
-COPY --from=musl . /
-COPY --from=gcc . /
-COPY --from=python . /
-COPY --from=py-setuptools . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/cmake . /
+COPY --from=stagex/ninja . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/python . /
+COPY --from=stagex/py-setuptools . /
+COPY --from=stagex/openssl . /
 
 FROM base as fetch
 RUN wget --no-check-certificate ${SRC_SITE}/llvmorg-${SRC_VERSION}/llvm-project-${SRC_VERSION}.src.tar.xz
@@ -79,9 +67,9 @@ USER 0:0
 RUN set -eux; \
     DESTDIR="/rootfs" cmake --install build; \
 	python3 llvm/utils/lit/setup.py install --root="/rootfs"
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
 RUN ln -s lit /rootfs/usr/bin/llvm-lit
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 

src/core/m4/Containerfile

@@ -0,0 +1,31 @@
+FROM stagex/busybox as base
+ENV SRC_SITE=https://ftp.gnu.org/gnu/m4
+ENV SRC_VERSION=1.4.18
+ENV SRC_HASH=ab2633921a5cd38e48797bf5521ad259bdc4b979078034a3b790d7fec5493fab
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+
+FROM base as fetch
+RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.gz
+RUN echo "${SRC_HASH}  m4-${SRC_VERSION}.tar.gz" | sha256sum -c
+
+FROM fetch as build
+RUN tar -xzf m4-${SRC_VERSION}.tar.gz
+WORKDIR m4-${SRC_VERSION}
+RUN set -eux; \
+    ./configure \
+        --prefix=/usr; \
+    make;
+
+FROM build as install
+USER 0:0
+RUN make DESTDIR=/rootfs install
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+RUN find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
+ENTRYPOINT ["/usr/bin/m4"]
+CMD ["--version"]

src/core/m4/Dockerfile

@@ -1,38 +0,0 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-ENV SRC_SITE=https://ftp.gnu.org/gnu/m4
-ENV SRC_VERSION=1.4.19
-ENV SRC_HASH=63aede5c6d33b6d9b13511cd0be2cac046f2e70fd0a07aa9573a04a82783af96
-
-FROM base as fetch
-RUN wget ${SRC_SITE}/m4-${SRC_VERSION}.tar.xz
-RUN echo "${SRC_HASH}  m4-${SRC_VERSION}.tar.xz" | sha256sum -c
-
-FROM fetch as build
-RUN tar -xf m4-${SRC_VERSION}.tar.xz
-WORKDIR m4-${SRC_VERSION}
-RUN set -eux; \
-    ./configure \
-        --prefix=/usr; \
-    make;
-
-FROM build as install
-USER 0:0
-RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
-RUN find /rootfs -exec touch -hcd "@0" "{}" +
-
-FROM scratch as package
-COPY --from=install /rootfs /
-ENTRYPOINT ["/usr/bin/m4"]
-CMD ["--version"]

src/core/make/Containerfile

@@ -1,34 +1,30 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE https://ftp.gnu.org/gnu/make
 ENV SRC_VERSION 4.4
 ENV SRC_HASH 581f4d4e872da74b3941c874215898a7d35802f03732bdccee1d4a7979105d18
 
 FROM base as fetch
+WORKDIR ${HOME}
 RUN wget ${SRC_SITE}/make-${SRC_VERSION}.tar.gz
-RUN echo "${SRC_HASH} make-${SRC_VERSION}.tar.gz" | sha256sum -c
+RUN echo "${SRC_HASH}  make-${SRC_VERSION}.tar.gz" | sha256sum -c
 
 FROM fetch as build
 RUN tar -xf make-${SRC_VERSION}.tar.gz
 WORKDIR make-${SRC_VERSION}
 RUN set -ex; \
     ./configure \
-        --build=x86_64-linux-musl \
-        --host=x86_64-linux-musl \
-        --target=x86_64-linux-musl \
+        --build=${TARGET} \
+        --host=${TARGET} \
         --prefix=/usr \
         --mandir=/usr/share/man \
         --infodir=/usr/share/info \
         --disable-nls; \
-	make -j "$(nproc)"
+    make
 
 FROM build as install
 USER 0:0
 RUN make DESTDIR="/rootfs" install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/musl/Containerfile

@@ -1,17 +1,15 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/bootstrap:latest as bootstrap
-
-FROM bootstrap as base
+FROM stagex/stage3 as base
 ENV SRC_SITE http://musl.libc.org
 ENV SRC_VERSION 1.2.4
 ENV SRC_HASH 7a35eae33d5372a7c0da1188de798726f68825513b7ae3ebe97aaaa52114f039
 ENV CFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security"
 ENV CXXFLAGS="-Os -fstack-clash-protection -Wformat -Werror=format-security -D_GLIBCXX_ASSERTIONS=1 -D_LIBCPP_ENABLE_THREAD_SAFETY_ANNOTATIONS=1 -D_LIBCPP_ENABLE_HARDENED_MODE=1"
-ENV LDFLAGS="-Wl,--as-needed,-O1,--sort-common -Wl,-soname,libc.musl-x86_64.so.1"
+ENV LDFLAGS="-Wl,--as-needed,-O1,--sort-common -Wl,-soname,libc.musl-${ARCH}.so.1"
 
 FROM base as fetch
+WORKDIR ${HOME}
 RUN wget ${SRC_SITE}/releases/musl-$SRC_VERSION.tar.gz
-RUN echo "${SRC_HASH} musl-${SRC_VERSION}.tar.gz" | sha256sum -c
+RUN echo "${SRC_HASH}  musl-${SRC_VERSION}.tar.gz" | sha256sum -c
 
 FROM fetch as build
 RUN tar -xzf musl-${SRC_VERSION}.tar.gz
@@ -22,8 +20,8 @@ RUN set -eux; \
     patch -p1 < lfs64.patch; \
     patch -p1 < lfs64-2.patch; \
     ./configure \
-        --build=x86_64-linux-musl \
-        --host=x86_64-linux-musl \
+        --build=${ARCH}-linux-musl \
+        --host=${ARCH}-linux-musl \
         --prefix=/usr \
         --sysconfdir=/etc \
         --mandir=/usr/share/man \
@@ -37,12 +35,12 @@ USER 0:0
 RUN set -eux; \
     make DESTDIR=/rootfs install; \
     mkdir -p /rootfs/usr/bin; \
-    printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/ld-musl-x86_64.so.1 --list "$@"' \
+    printf "%s\n%s\n" '#!/bin/sh' 'exec /lib/ld-musl-${ARCH}.so.1 --list "$@"' \
         > /rootfs/usr/bin/ldd; \
     chmod 755 /rootfs/usr/bin/ldd; \
-    mv -f /rootfs/usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1; \
-    ln -sf ld-musl-x86_64.so.1 /rootfs/lib/libc.musl-x86_64.so.1; \
-    ln -sf ../../lib/ld-musl-x86_64.so.1 /rootfs/usr/lib/libc.so; \
+    mv -f /rootfs/usr/lib/libc.so /rootfs/lib/ld-musl-${ARCH}.so.1; \
+    ln -sf ld-musl-${ARCH}.so.1 /rootfs/lib/libc.musl-${ARCH}.so.1; \
+    ln -sf ../../lib/ld-musl-${ARCH}.so.1 /rootfs/usr/lib/libc.so; \
     find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/ninja/Containerfile

@@ -1,23 +1,13 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/python:latest as python
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/busybox:latest as busybox
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-FROM ${REGISTRY}/openssl:latest as openssl
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://github.com/martine/ninja/archive/
 ENV SRC_VERSION=1.9.0
 ENV SRC_HASH=5d7ec75828f8d3fd1a0c2f31b5b0cea780cdfe1031359228c428c1a48bfcd5b9
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=python . /
-COPY --from=musl . /
-COPY --from=gcc . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/python . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /
 FROM ${REGISTRY}/busybox:latest as busybox
 
 FROM base as fetch
@@ -30,7 +20,7 @@ WORKDIR ninja-${SRC_VERSION}
 ADD fix-musl.patch .
 RUN patch -p1 < fix-musl.patch
 # HACK: figure out why gcc package puts these in the wrong path at install time
-COPY --from=gcc /usr/lib64/* /usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /usr/lib/
 RUN set -eux; \
     python3 ./configure.py --bootstrap
 
@@ -40,8 +30,8 @@ RUN set -eux; \
     mkdir -p /rootfs/usr/bin/; \
     cp ninja /rootfs/usr/bin/
 # HACK: figure out why gcc package puts these in the wrong path at install time
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
-COPY --from=musl . /rootfs/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/musl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/openssl/Containerfile

@@ -1,22 +1,13 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/perl:latest as perl
-FROM ${REGISTRY}/linux-headers:latest as linux-headers
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.openssl.org/source
 ENV SRC_VERSION=3.0.12
 ENV SRC_HASH=f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=perl . /
-COPY --from=linux-headers . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/perl . /
+COPY --from=stagex/linux-headers . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/openssl-${SRC_VERSION}.tar.gz

src/core/perl/Containerfile

@@ -1,18 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.cpan.org/src/5.0
 ENV SRC_VERSION=5.38.0
 ENV SRC_HASH=eca551caec3bc549a4e590c0015003790bdd1a604ffe19cc78ee631d51f7072e
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/perl-${SRC_VERSION}.tar.xz
@@ -22,6 +15,13 @@ FROM fetch as build
 RUN tar -xf perl-${SRC_VERSION}.tar.xz
 WORKDIR perl-${SRC_VERSION}
 RUN set -eux; \
+    printf "\
+osvers=\"gnulinux\"\n\
+myuname=\"dummy_uname\"\n\
+myhostname=\"builder\"\n\
+cf_by=\"builder\"\n\
+cf_time=\"0\"" \
+    > config.over; \
 	./Configure \
         -des \
 		-Dcccdlflags='-fPIC' \
@@ -56,7 +56,7 @@ USER 0:0
 RUN set -eux; \
     make DESTDIR=/rootfs install; \
     mkdir -p /rootfs/lib
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/pkgconf/Containerfile

@@ -1,18 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://distfiles.ariadne.space/pkgconf/
 ENV SRC_VERSION=1.6.3
 ENV SRC_HASH=61f0b31b0d5ea0e862b454a80c170f57bad47879c0c42bd8de89200ff62ea210
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/pkgconf-${SRC_VERSION}.tar.xz
@@ -31,7 +24,7 @@ USER 0:0
 RUN set -eux; \
     make DESTDIR=/rootfs install; \
     ln -s pkgconf /rootfs/usr/bin/pkg-config
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/py-setuptools/Containerfile

@@ -1,12 +1,8 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/python:latest as python
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://pypi.io/packages/source/s/setuptools
 ENV SRC_VERSION=68.2.2
 ENV SRC_HASH=4ac1475276d2f1c48684874089fefcd83bd7162ddaafb81fac866ba0db282a87
-COPY --from=python . /
+COPY --from=stagex/python . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/setuptools-${SRC_VERSION}.tar.gz

src/core/python/Containerfile

@@ -1,12 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.python.org/ftp/python
 ENV SRC_VERSION=3.12.0
 ENV SRC_HASH=795c34f44df45a0e9b9710c8c71c15c671871524cd412ca14def212e8ccb155d
@@ -18,20 +10,19 @@ RUN echo "${SRC_HASH}  Python-${SRC_VERSION}.tar.xz" | sha256sum -c
 FROM fetch as build
 RUN tar -xf Python-${SRC_VERSION}.tar.xz
 WORKDIR Python-${SRC_VERSION}
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=openssl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/openssl . /
+ENV PYTHONHASHSEED=0
+ENV PYTHONDONTWRITEBYTECODE=1
 RUN set -eux; \
     ./configure \
 		--build="x86_64-linux-musl" \
 		--host="x86_64-linux-musl" \
         --prefix=/usr \
-        --enable-ipv6 \
-		--enable-optimizations \
 		--enable-shared \
-		--with-lto \
 		--with-computed-gotos \
 		--without-ensurepip; \
     make
@@ -41,7 +32,7 @@ USER 0:0
 RUN set -eux; \
     make DESTDIR=/rootfs install; \
     ln -s /usr/bin/python3 /rootfs/usr/bin/python
-COPY --from=musl . /rootfs/
+COPY --from=stagex/musl . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/rust/Containerfile

@@ -1,24 +1,8 @@
-ARG REGISTRY=local
 ARG VERSION=1.74.0
 ARG BUILD_VERSION=1.73.0
 ARG LLVM_VERSION=13.0.1
-FROM ${REGISTRY}/gcc as gcc
-FROM ${REGISTRY}/binutils as binutils
-FROM ${REGISTRY}/musl as musl
-FROM ${REGISTRY}/bash as bash
-FROM ${REGISTRY}/make as make
-FROM ${REGISTRY}/cmake as cmake
-FROM ${REGISTRY}/perl as perl
-FROM ${REGISTRY}/libunwind as libunwind
-FROM ${REGISTRY}/python as python
-FROM ${REGISTRY}/py-setuptools as py-setuptools
-FROM ${REGISTRY}/zlib as zlib
-FROM ${REGISTRY}/openssl as openssl
-FROM ${REGISTRY}/pkgconf as pkgconf
-FROM ${REGISTRY}/llvm:${LLVM_VERSION} as llvm
-FROM ${REGISTRY}/busybox as busybox
 
-FROM busybox as base
+FROM stagex/busybox as base
 ENV BOOTSTRAP_VERSION=1.54.0
 ENV SRC_SITE=https://static.rust-lang.org/dist
 ENV MRUSTC_VERSION=16d744fd62e74a2d4356df864b5850bf782918da
@@ -53,20 +37,20 @@ ARG BUILD_VERSION
 ENV BUILD_VERSION=${BUILD_VERSION}
 ARG LLVM_VERSION
 ENV LLVM_VERSION=${LLVM_VERSION}
-COPY --from=binutils . /
-COPY --from=bash . /
-COPY --from=make . /
-COPY --from=cmake . /
-COPY --from=python . /
-COPY --from=py-setuptools . /
-COPY --from=zlib . /
-COPY --from=pkgconf . /
-COPY --from=openssl . /
-COPY --from=llvm . /
-COPY --from=perl . /
-COPY --from=gcc . /
-COPY --from=libunwind . /
-COPY --from=musl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/bash . /
+COPY --from=stagex/make . /
+COPY --from=stagex/cmake . /
+COPY --from=stagex/python . /
+COPY --from=stagex/py-setuptools . /
+COPY --from=stagex/zlib . /
+COPY --from=stagex/pkgconf . /
+COPY --from=stagex/openssl . /
+COPY --from=stagex/llvm . /
+COPY --from=stagex/perl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/libunwind . /
+COPY --from=stagex/musl . /
 
 FROM base as bootstrap-fetch
 RUN set -eux; \
@@ -109,9 +93,9 @@ RUN set -eux; \
     mv /rootfs/bin/cargo /rootfs/usr/bin/; \
     mv /rootfs/lib/rustlib /rootfs/usr/lib/rustlib; \
     mv /rootfs/usr/lib/rustlib/x86_64-unknown-linux-musl/lib/librustc_driver.so /rootfs/usr/lib/
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as bootstrap-package
@@ -158,6 +142,7 @@ RUN set -eux; \
         --set="rust.deny-warnings=false" \
         --set="rust.parallel-compiler=false" \
         --set="rust.remap-debuginfo=true" \
+        --set="rust.llvm-libunwind=system" \
         --set="build.full-bootstrap=true" \
         --set="target.x86_64-unknown-linux-musl.crt-static=false" \
         --set="target.x86_64-unknown-linux-musl.musl-root=/usr" \
@@ -170,11 +155,20 @@ RUN set -eux; \
 
 FROM build as install
 USER 0:0
-RUN python3 x.py install
-COPY --from=musl /lib/* /rootfs/lib/
-COPY --from=gcc /usr/lib/* /rootfs/usr/lib/
-COPY --from=gcc /usr/lib64/* /rootfs/usr/lib/
-COPY --from=llvm /usr/lib/* /rootfs/usr/lib/
+RUN set -eux; \
+    python3 x.py install; \
+    cd /rootfs/usr/lib/rustlib; \
+    rm install.log; \
+    sort -o manifest-cargo manifest-cargo; \
+    sort -o manifest-rustc manifest-rustc; \
+    sort -o \
+        manifest-rust-std-x86_64-unknown-linux-musl \
+        manifest-rust-std-x86_64-unknown-linux-musl; \
+    rm -f x86_64-unknown-linux-musl/lib/self-contained/libunwind.a
+COPY --from=stagex/musl /lib/* /rootfs/lib/
+COPY --from=stagex/gcc /usr/lib/* /rootfs/usr/lib/
+COPY --from=stagex/gcc /usr/lib64/* /rootfs/usr/lib/
+COPY --from=stagex/llvm /usr/lib/* /rootfs/usr/lib/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/sed/Containerfile

@@ -1,19 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/bash:latest as bash
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://ftp.gnu.org/gnu/sed
 ENV SRC_VERSION=4.9
 ENV SRC_HASH=6e226b732e1cd739464ad6862bd1a1aba42d7982922da7a53519631d24975181
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/sed-${SRC_VERSION}.tar.xz
@@ -30,7 +22,7 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make DESTDIR=/rootfs install
-COPY --from=musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/core/zlib/Containerfile

@@ -1,18 +1,11 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://www.zlib.net/
-ENV SRC_VERSION=1.3
-ENV SRC_HASH=ff0ba4c292013dbc27530b3a81e1f9a813cd39de01ca5e0f8bf355702efa593e
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
+ENV SRC_VERSION=1.3.1
+ENV SRC_HASH=9a93b2b7dfdac77ceba5a558a580e74667dd6fede4585b91eefb60f03b72df23
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/zlib-${SRC_VERSION}.tar.gz

src/libs/ca-certificates/Containerfile

@@ -1,5 +1,4 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/busybox:latest as base
+FROM stagex/busybox as base
 
 FROM base as install
 USER 0:0

src/libs/libxml2/Containerfile

@@ -1,30 +1,17 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/autoconf:latest as autoconf
-FROM ${REGISTRY}/automake:latest as automake
-FROM ${REGISTRY}/libtool:latest as libtool
-FROM ${REGISTRY}/pkgconf:latest as pkgconf
-FROM ${REGISTRY}/python:latest as python
-FROM ${REGISTRY}/m4:latest as m4
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://gitlab.gnome.org/GNOME/libxml2/-/archive
 ENV SRC_VERSION=2.12.1
 ENV SRC_HASH=1090e62c5a1900429f63e4681263b96e7829876ccbc66cf2d9266cd589f67286
-COPY --from=gcc . /
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=python . /
-COPY --from=autoconf . /
-COPY --from=automake . /
-COPY --from=pkgconf . /
-COPY --from=libtool . /
-COPY --from=m4 . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/python . /
+COPY --from=stagex/autoconf . /
+COPY --from=stagex/automake . /
+COPY --from=stagex/pkgconf . /
+COPY --from=stagex/libtool . /
+COPY --from=stagex/m4 . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/v${SRC_VERSION}/libxml2-v${SRC_VERSION}.tar.gz

src/macros.mk

@@ -12,6 +12,8 @@
 # - TARGET defaults to "package"
 # - EXTRA_ARGS will be blindly injected
 # - packages may also define a "test" layer
+# - the ulimit line is to workaround a bug in patch when the nofile limit is too large:
+#      https://savannah.gnu.org/bugs/index.php?62958
 #  TODO:
 # - try to disable networking on fetch layers with something like:
 #   $(if $(filter fetch,$(lastword $(subst -, ,$(TARGET)))),,--network=none)
@@ -24,23 +26,35 @@ define build
 	$(eval VERSION := $(if $(3),$(3),latest))
 	$(eval TARGET := $(if $(4),$(4),package))
 	$(eval EXTRA_ARGS := $(if $(5),$(5),))
+	$(eval REVISION := $(shell git rev-list HEAD -1 src/$(CATEGORY)/$(NAME)))
 	$(eval BUILD_CMD := \
 		DOCKER_BUILDKIT=1 \
+		BUILDKIT_MULTI_PLATFORM=1 \
 		SOURCE_DATE_EPOCH=1 \
 		$(BUILDER) \
 			build \
-			-t $(REGISTRY)/$(NAME):$(VERSION) \
+			--ulimit nofile=2048:16384 \
+			--tag $(REGISTRY)/$(NAME):$(VERSION) \
 			--build-arg REGISTRY=$(REGISTRY) \
 			--platform $(PLATFORM) \
 			--progress=plain \
 			$(if $(filter latest,$(VERSION)),,--build-arg VERSION=$(VERSION)) \
+			--output type=oci,force-compression=true,name=$(NAME),annotation.org.opencontainers.image.revision=$(REVISION),annotation.org.opencontainers.image.version=$(VERSION),dest=$(basename $@).tar \
 			--target $(TARGET) \
 			$(EXTRA_ARGS) \
+			$(NOCACHE_FLAG) \
+			-f src/$(CATEGORY)/$(NAME)/Containerfile \
 			src/$(CATEGORY)/$(NAME) \
+			&& tar -tf $(basename $@).tar \
+			&& gzip < $(basename $@).tar > $@ \
+			&& rm $(basename $@).tar \
+			&& gunzip -c $@ | docker load; \
 	)
 	$(eval TIMESTAMP := $(shell TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ"))
 	mkdir -p out/
 	echo $(TIMESTAMP) $(BUILD_CMD) >> out/build.log
 	$(BUILD_CMD)
-	$(if $(filter package,$(TARGET)),$(BUILDER) save $(REGISTRY)/$(NAME):$(VERSION) -o $@,)
+	tar -xf $@ index.json -O \
+		| jq -r '.manifests[].digest | sub("sha256:";"")' \
+	> $@.digest
 endef

src/tools/build.mk

@@ -8,7 +8,24 @@ out/curl.tgz: \
 	out/ca-certificates.tgz
 	$(call build,tools,curl)
 
+out/gen_initramfs.tgz: \
+	out/gcc.tgz \
+	out/binutils.tgz \
+	out/musl.tgz
+	$(call build,tools,gen_initramfs)
+
+out/cpio.tgz: \
+	out/gcc.tgz \
+	out/binutils.tgz \
+	out/musl.tgz
+	$(call build,tools,cpio)
+
 out/tofu.tgz: \
 	out/busybox.tgz \
 	out/go.tgz
-	$(call build,tools,tofu)
+	$(call build,tools,tofu)
+
+out/sops.tgz: \
+	out/busybox.tgz \
+	out/go.tgz
+	$(call build,tools,sops)

src/tools/cpio/Containerfile

@@ -0,0 +1,39 @@
+FROM stagex/busybox as base
+ENV SRC_SITE=https://ftp.gnu.org/gnu/cpio
+ENV SRC_VERSION=2.15
+ENV SRC_HASH=efa50ef983137eefc0a02fdb51509d624b5e3295c980aa127ceee4183455499e
+ENV SRC_FILE=cpio-${SRC_VERSION}.tar.gz
+
+FROM base as fetch
+RUN set -eux; \
+    wget ${SRC_SITE}/${SRC_FILE}; \
+    echo "${SRC_HASH}  ${SRC_FILE}" | sha256sum -c
+
+FROM fetch as build
+RUN tar -xzf ${SRC_FILE}
+WORKDIR cpio-${SRC_VERSION}
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+RUN set -eux; \
+    mkdir -p /home/user/rootfs/lib; \
+    ./configure \
+        --build=x86_64-unknown-linux-musl \
+        --host=x86_64-unknown-linux-musl \
+        --prefix=/usr \
+        --bindir=/bin \
+        --mandir=/usr/share/man \
+        --infodir=/usr/share/info; \
+    make
+
+FROM build as install
+USER 0:0
+RUN make DESTDIR=/rootfs install
+COPY --from=stagex/musl /usr/lib/libc.so /rootfs/lib/ld-musl-x86_64.so.1
+RUN find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /
+ENTRYPOINT ["/bin/cpio"]
+CMD ["--version"]

src/tools/curl/Containerfile

@@ -1,21 +1,12 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/gcc:latest as gcc
-FROM ${REGISTRY}/musl:latest as musl
-FROM ${REGISTRY}/make:latest as make
-FROM ${REGISTRY}/binutils:latest as binutils
-FROM ${REGISTRY}/openssl:latest as openssl
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-FROM ${REGISTRY}/busybox:latest as busybox
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV SRC_SITE=https://curl.se/download
 ENV SRC_VERSION=8.4.0
 ENV SRC_HASH=16c62a9c4af0f703d28bda6d7bbf37ba47055ad3414d70dec63e2e6336f2a82d
-COPY --from=binutils . /
-COPY --from=make . /
-COPY --from=musl . /
-COPY --from=gcc . /
-COPY --from=openssl . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/make . /
+COPY --from=stagex/musl . /
+COPY --from=stagex/gcc . /
+COPY --from=stagex/openssl . /
 
 FROM base as fetch
 RUN wget ${SRC_SITE}/curl-${SRC_VERSION}.tar.xz
@@ -40,9 +31,9 @@ RUN set -eux; \
 FROM build as install
 USER 0:0
 RUN make install DESTDIR=/rootfs
-COPY --from=musl . /rootfs/
-COPY --from=openssl . /rootfs/
-COPY --from=ca-certificates . /rootfs/
+COPY --from=stagex/musl . /rootfs/
+COPY --from=stagex/openssl . /rootfs/
+COPY --from=stagex/ca-certificates . /rootfs/
 RUN find /rootfs -exec touch -hcd "@0" "{}" +
 
 FROM scratch as package

src/tools/gen_initramfs/Containerfile

@@ -0,0 +1,28 @@
+FROM stagex/busybox as base
+WORKDIR ${HOME}
+ENV SRC_SITE http://mirrors.edge.kernel.org/pub/linux/kernel/v6.x/
+ENV SRC_VERSION 6.6
+ENV SRC_HASH d926a06c63dd8ac7df3f86ee1ffc2ce2a3b81a2d168484e76b5b389aba8e56d0
+
+FROM base as fetch
+RUN wget ${SRC_SITE}/linux-${SRC_VERSION}.tar.xz
+RUN echo "${SRC_HASH}  linux-${SRC_VERSION}.tar.xz" | sha256sum -c
+
+FROM fetch as build
+RUN tar -xf linux-${SRC_VERSION}.tar.xz
+WORKDIR linux-${SRC_VERSION}
+COPY --from=stagex/gcc . /
+COPY --from=stagex/binutils . /
+COPY --from=stagex/musl . /
+RUN gcc usr/gen_init_cpio.c -o usr/gen_init_cpio
+
+FROM build as install
+USER 0:0
+RUN set -eux; \
+    mkdir -p /rootfs/usr/bin; \
+    cp -a usr/gen_initramfs.sh /rootfs/usr/bin/gen_initramfs; \
+    cp -a usr/gen_init_cpio /rootfs/usr/bin; \
+    find /rootfs -exec touch -hcd "@0" "{}" +
+
+FROM scratch as package
+COPY --from=install /rootfs /

src/tools/sops/Containerfile

@@ -0,0 +1,40 @@
+FROM stagex/busybox as base
+ENV VERSION=3.8.1
+ENV SRC_SITE=https://github.com/getsops/sops/archive/refs/tags
+ENV SRC_HASH=5ca70fb4f96797d09012c705a5bb935835896de7bcd063b98d498912b0e645a0
+RUN echo ${SRC_SITE}/${VERSION}.tar.gz
+
+FROM base as fetch
+COPY --from=stagex/go . /
+COPY --from=stagex/ca-certificates . /
+
+RUN set -eux; \
+    wget ${SRC_SITE}/v${VERSION}.tar.gz; \
+    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c;
+
+FROM fetch as build
+RUN tar -xvf v${VERSION}.tar.gz
+WORKDIR sops-${VERSION}
+ENV PWD=/home/user/sops-${VERSION}
+ENV GOPATH=${PWD}/cache/go
+ENV GOCACHE=${PWD}/cache/
+ENV GOWORK=off
+ENV GOPROXY=https://proxy.golang.org,direct
+ENV GOSUMDB=sum.golang.org
+
+ENV CGO_ENABLED=0
+ENV GOHOSTOS=linux
+ENV GOHOSTARCH=amd64
+ENV GOFLAGS=-trimpath
+RUN mkdir -p ${GOPATH}
+RUN go build -o bin/sops ./cmd/sops
+
+from build as install
+USER 0:0
+RUN mkdir -p /rootfs/usr/bin/
+RUN cp bin/sops /rootfs/usr/bin/
+
+FROM scratch as package
+COPY --from=install /rootfs/ /
+ENTRYPOINT ["/usr/bin/sops"]
+CMD ["--version"]

src/tools/tofu/Containerfile

@@ -1,21 +1,16 @@
-ARG REGISTRY=local
-FROM ${REGISTRY}/go:latest as go
-FROM ${REGISTRY}/busybox:latest as busybox 
-FROM ${REGISTRY}/ca-certificates:latest as ca-certificates
-
-FROM busybox as base
+FROM stagex/busybox as base
 ENV VERSION=1.6.0-beta4
 ENV SRC_SITE=https://github.com/opentofu/opentofu/archive/refs/tags
 ENV SRC_HASH=b14f151839d90d06f95ba4257be159857606daf522d99e9285ddb248f814393f
 RUN echo ${SRC_SITE}/${VERSION}.tar.gz
 
 FROM base as fetch
-COPY --from=go . /
-COPY --from=ca-certificates . /
+COPY --from=stagex/go . /
+COPY --from=stagex/ca-certificates . /
 
 RUN set -eux; \
     wget ${SRC_SITE}/v${VERSION}.tar.gz; \
-    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c; 
+    echo "${SRC_HASH}  v${VERSION}.tar.gz" | sha256sum -c;
 
 FROM fetch as build
 RUN tar -xvf v${VERSION}.tar.gz
@@ -30,7 +25,7 @@ ENV GOSUMDB=sum.golang.org
 ENV CGO_ENABLED=0
 ENV GOHOSTOS=linux
 ENV GOHOSTARCH=amd64
-ENV GOFLAGS=-trimpath 
+ENV GOFLAGS=-trimpath
 RUN mkdir -p ${GOPATH}
 RUN go build -o bin/tofu ./cmd/tofu
 
@@ -42,4 +37,4 @@ RUN cp bin/tofu /rootfs/usr/bin/
 FROM scratch as package
 COPY --from=install /rootfs/ /
 ENTRYPOINT ["/usr/bin/tofu"]
-CMD ["--version"]
+CMD ["--version"]