Group: Software/FSDG distributions/CrossDistroBootstrap

Introduction

In some cases, users and developers might need to install an FSDG distribution from another one.

This tracks tools that can script installations of an FSDG distribution rootfs from another FSDG distribution.

The criteria for being OK / green are very subjective:

The installation needs to be somehow automated (debootstrap / pacstrap)
Signature needs to be checked

Use cases

Using software not available in the distribution you use, while making sure it doesn't bundle nonfree software, depend on it, etc, by reusing all the work that went into packaging it in other FSDG distributions.
Build Replicant (it needs specific versions of GNU/Linux distributions)
Getting FSDG compliant environments packaged by Debian (like Freedombox, or the Android SDK) by getting it from PureOS.
Supporting more distributions (through semi-automatic installations) in an FSDG hosting environment (where administrators can maintain their own VM with the FSDG distribution of their choice)

Cross bootstrap distros table

		Guix for x86_64-linux	Hyperbola i686	Hyperbola x86_64	Parabola armv7h	Parabola i686	Parabola x86_64	PureOS 10.0 (byzantium) aarch64	PureOS 10.0 (byzantium) x86_64	Trisquel 10 (Nabia) x86_64	Trisquel 11 (Aramo) amd64	Trisquel 11 (Aramo) arm64	Trisquel 11 (Aramo) armhf	Trisquel 11 (Aramo) ppc64el
		Hosts
Targets	Guix for x86_64-linux	guix package	Manual install only	Manual install only	guix 1.4.0 and guix-installer 1.4.0 packages	guix 1.4.0 and guix-installer 1.4.0 packages	guix 1.4.0 and guix-installer 1.4.0 packages	guix package^[1]	guix 1.2.0 package^[1]	Manual install only	guix 1.3.0 package	guix 1.3.0 package	guix 1.3.0 package	guix 1.3.0 package
	Hyperbola i686	missing pacstrap	pacstrap	pacstrap	missing qemu-user-static	pacstrap + hyperbola-* packages	pacstrap + hyperbola-* packages	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap
	Hyperbola x86_64	missing pacstrap	missing qemu-user-static	pacstrap	missing qemu-user-static	pacstrap + hyperbola-* packages + qemu-user-static	pacstrap + hyperbola-* packages	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap
	Parabola armv7h	missing pacstrap	missing qemu-user-static + keyring + configs	missing qemu-user-static + keyring + configs	pacstrap	pacstrap + archlinux-arm-keyring + qemu-user-static	pacstrap + archlinux-arm-keyring + qemu-user-static	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap
	Parabola i686	missing pacstrap	manual with pacstrap: missing keyring + configs	manual with pacstrap: missing keyring + configs	missing qemu-user-static	pacstrap	pacstrap + archlinux32-keyring	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap
	Parabola x86_64	missing pacstrap	missing qemu-user-static + keyring + configs	manual with pacstrap: missing keyring + configs	missing qemu-user-static	pacstrap + qemu-user-static	pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap	missing pacstrap
	PureOS 9.0 (amber) aarch64	Needs testing (with debootstrap and qemu:static)	missing debootstrap	missing debootstrap	Can't run --second-stage: missing qemu-user-static	deboostrap --foreign + pureos-archive-keyring + qemu-user-static	deboostrap --foreign + pureos-archive-keyring + qemu-user-static	debootstrap	debootstrap --foreign + qemu-user-static	missing support in debootstrap + missing keyring?	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring
	PureOS 9.0 (amber) x86_64	Needs testing (with debootstrap).^[2]	missing debootstrap	missing debootstrap	Can't run --second-stage: missing qemu-user-static	deboostrap --foreign + pureos-archive-keyring + qemu-user-static	deboostrap + pureos-archive-keyring	debootstrap --foreign + qemu-user-static	debootstrap	missing support in debootstrap + missing keyring?	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring
	PureOS 10 (byzantium) aarch64	Needs testing (with debootstrap and qemu:static)					debootstrap --foreign + qemu-user-static^[3]
	PureOS 10.0 (byzantium) x86_64	debootstrap^[2]					deboostrap + pureos-archive-keyring^[4]		deboostrap + pureos-archive-keyring^[5]
	Trisquel 10 (Nabia) x86_64	Needs testing (with debootstrap).^[6]	missing debootstrap	missing debootstrap			debootstrap + trisquel-keyring^[7]	missing support in debootstrap + missing keyring	missing support in debootstrap + missing keyring	debootstrap (+ some keyring?)	debootstrap + trisquel-keyring
	Trisquel 11 (Aramo) amd64	debootstrap^[6]					debootstrap + trisquel-keyring^[8]				debootstrap + trisquel-keyring
	Trisquel 11 (Aramo) arm64	Needs testing (with debootstrap and qemu:static)					deboostrap --foreign + trisquel-keyring + qemu-user-static^[9]
	Trisquel 11 (Aramo) armhf	debootstrap + qemu:static + small tweaks^[10]					deboostrap --foreign + trisquel-keyring + qemu-user-static^[11]
	Trisquel 11 (Aramo) ppc64el	Needs testing (with debootstrap and qemu:static)					missing qemu-ppc64el-static^[12]
		Guix for x86_64-linux	Hyperbola i686	Hyperbola x86_64	Parabola armv7h	Parabola i686	Parabola x86_64	PureOS 10.0 (byzantium) aarch64	PureOS 10.0 (byzantium) x86_64	Trisquel 10 (Nabia) x86_64	Trisquel 11 (Aramo) aarch64	Trisquel 11 (Aramo) x86_64	Trisquel 11 (Aramo) armhf	Trisquel 11 (Aramo) ppc64el
		Hosts

More precise guix status

Distribution Package / installation method	Version	Default substitute server provided by the package		Security fixes		/etc/guix/acl permissions
Distribution Package / installation method	Version	ci.guix.gnu.org	bordeaux.guix.gnu.org	Fixed-Output Derivation Sandbox Bypass (CVE-2024-27297)	Build User Takeover Vulnerability	/etc/guix/acl permissions
Latest guix system	latest	Yes	Yes	Safe	Safe	-r--r--r-- 1 root root
guix-install.sh	1.4.0^[13]	User setting during installation				-rw------- 1 root root
Parabola	1.4.0	Yes	Yes	Safe	Safe	-rw-r--r-- root root
PureOS 10.0 (byzantium)	1.2.0	Yes	No	Safe	Safe	-rw-r--r-- 1 root root
Trisquel 11.0 (nabia)	1.3.0	Yes	No	Safe	Safe	-rw------- 1 root root

Also if the Guix package on distributions like Parabola, PureOS, Trisquel has security issues, you don't need to wait for your distribution to fix them, you can fix them youself by making Guix update itself. See upgrading the Guix daemon, on a foreign distro for more details.

Guix on FSDG distributions without Guix package

Since it is possible to install Guix manually or with guix-install.sh, below we can see various status information.

Distribution	Can Guix work?	guix-install.sh support	guix-install.sh init system integration	guix-install.sh packaged
Dragora	Yes	Yes	No	No
Dynebolic	Guix requires Internet to be useful ^[14]	?	?	?
Hyperbola	?	?	?	No
LibreCMC	?	?	?	No
Parabola	Yes	Yes	Yes	Yes
ProteanOS	?	?	?	?
PureOS	Yes	Yes	Yes	No
Replicant 6.0	no: outdated kernel^[15]	no: Android needs special care^[16]	No	No
Trisquel 11	Yes	Yes	Yes	No
Ututo	?	?	?	?

More precise status for Debian based distributions

While debootstrap is the standard for being able to create rootfs for Debian based distributions like PureOS or Trisquel, it might be interesting to also look in more detail in the available tooling that reuses or replaces it.

The table below adds such details.

Tool	PureOS target support	Trisquel target support	Works without root once installed?	Guix package	Hyperbola package	Parabola package	PureOS 10.0 (byzantium) package	Trisquel 11 (Aramo) package	Packages for non-FSF certified distributions
consfigurator for creating rootfs		Some features are tied to Debian but with some code they can be made to work with other distros (like Trisquel)	?	No	No	No	No	Yes	Some:^[17] Debian Kali Parrot Raspbian Ubuntu But we don't know if it works or not as 'disk:raw-image-built-for' might depend on debootstrap somehow.
debootstrap	Yes	Yes	?^[18]	Yes	No	Yes	Yes	Yes	Requires Trisquel and PureOS keyrings to be used securely, and there are not packaged.
debuerreotype	Yes	Yes	No^[19]	No	No	Yes	Yes	Yes	Requires Trisquel and PureOS keyrings to be used securely, and there are not packaged.
debspawn	?	?	Yes	No	No	No	Yes	Yes	?

This page was a featured resource in February 2025.

References

↑ ^1.0^1.1 PureOS 10.0 (byzantium) and Trisquel 11 (aramo) now have a guix package
↑ ^2.0^2.1 debootstrap now supports PureOS and automatically pulls the pureos-archive-keyring dependency. Tested with PureOS byzantium when sending the patch for that in Guix.
↑ Tested on Parabola x86_64.
↑ Tested on Parabola x86_64.
↑ Tested inside a byzantium chroot inside Parabola x86_64.
↑ ^6.0^6.1 debootstrap now supports Trisquel and automatically pulls the trisquel-keyring dependency. Tested with Trisquel 11 when sending the patch for that in Guix.
↑ Tested with debootstrap nabia rootfs https://archive.trisquel.info/trisquel on Parabola x86_64.
↑ Tested with debootstrap aramo trisquel-11 https://archive.trisquel.info/trisquel on Parabola x86_64
↑ Tested under Parabola x86_64 by running 'debootstrap --foreign --arch arm64 aramo rootfs' and 'cp /usr/bin/qemu-aarch64-static rootfs' and 'LANG=C.UTF-8 chroot trisquel-11-arm64 qemu-aarch64-static /bin/bash' and '/debootstrap/debootstrap --second-stage' inside the chroot
↑ Tested with the Hardware/FSDG_distributions/Trisquel tutorial with 'etiona' replaced by 'aramo', up to the '/debootstrap/debootstrap --second-stage' (included). The tweaks are mentioned in the tutorial.
↑ Tested on Parabola x86_64 by following Group:Hardware/FSDG_distributions/Trisquel#How_to_install_Trisquel_10_.28etiona.29_on_32bit_ARM_SBCs with aramo instead of etiona. Only the first and second stage deboostrap were done though (I didn't create a loop device, etc).
↑ Parabola has qemu-ppc64le-static, qemu-ppc64-static, qemu-ppc-static but none of them work for chrooting inside the ppc64el chroot.
↑ The install script will, at runtime, download a list of guix releases and determine the latest version. At the time of writing the latest release 1.4.0.
↑ According to https://www.gnu.org/distros/free-distros.html, Dynebolic is meant to run offline, and Guix doesn't work well offline.
↑ Replicant 6.0 uses a 3.0 kernel and Guix binaries requires a much more recent kernel to run. I tried to downgrade the kernel headers to make Guix rebuild everything but it didn't work at the time.
↑ See https://lepiller.eu/en/guix-on-android.html for more details. The easiest way would be to upstream modifications to the Android distribution for making it easier to support Guix, and once done, adding support for Android in guix-install.sh and shipping guix-install.sh as part of the Android distribution.
↑ https://repology.org/project/consfigurator/versions
↑ There was an issue upstream that was fixed by the commits '39b8069 scripts/robur: fix fakechroot.' and '38eb1ed scripts/amber: fix fakechroot.'.
↑ uses the unshare Linux system call which requires root

[guix-package-1] 1.0^1.1 PureOS 10.0 (byzantium) and Trisquel 11 (aramo) now have a guix package

[debootstrap-guix-pureos-2] 2.0^2.1 debootstrap now supports PureOS and automatically pulls the pureos-archive-keyring dependency. Tested with PureOS byzantium when sending the patch for that in Guix.

[3] Tested on Parabola x86_64.

[4] Tested on Parabola x86_64.

[5] Tested inside a byzantium chroot inside Parabola x86_64.

[debootstrap-guix-trisquel-6] 6.0^6.1 debootstrap now supports Trisquel and automatically pulls the trisquel-keyring dependency. Tested with Trisquel 11 when sending the patch for that in Guix.

[7] Tested with debootstrap nabia rootfs https://archive.trisquel.info/trisquel on Parabola x86_64.

[8] Tested with debootstrap aramo trisquel-11 https://archive.trisquel.info/trisquel on Parabola x86_64

[9] Tested under Parabola x86_64 by running 'debootstrap --foreign --arch arm64 aramo rootfs' and 'cp /usr/bin/qemu-aarch64-static rootfs' and 'LANG=C.UTF-8 chroot trisquel-11-arm64 qemu-aarch64-static /bin/bash' and '/debootstrap/debootstrap --second-stage' inside the chroot

[10] Tested with the Hardware/FSDG_distributions/Trisquel tutorial with 'etiona' replaced by 'aramo', up to the '/debootstrap/debootstrap --second-stage' (included). The tweaks are mentioned in the tutorial.

[11] Tested on Parabola x86_64 by following Group:Hardware/FSDG_distributions/Trisquel#How_to_install_Trisquel_10_.28etiona.29_on_32bit_ARM_SBCs with aramo instead of etiona. Only the first and second stage deboostrap were done though (I didn't create a loop device, etc).

[12] Parabola has qemu-ppc64le-static, qemu-ppc64-static, qemu-ppc-static but none of them work for chrooting inside the ppc64el chroot.

[13] The install script will, at runtime, download a list of guix releases and determine the latest version. At the time of writing the latest release 1.4.0.

[14] According to https://www.gnu.org/distros/free-distros.html, Dynebolic is meant to run offline, and Guix doesn't work well offline.

[15] Replicant 6.0 uses a 3.0 kernel and Guix binaries requires a much more recent kernel to run. I tried to downgrade the kernel headers to make Guix rebuild everything but it didn't work at the time.

[16] See https://lepiller.eu/en/guix-on-android.html for more details. The easiest way would be to upstream modifications to the Android distribution for making it easier to support Guix, and once done, adding support for Android in guix-install.sh and shipping guix-install.sh as part of the Android distribution.

[17] ttps://repology.org/project/consfigurator/versions

[18] There was an issue upstream that was fixed by the commits '39b8069 scripts/robur: fix fakechroot.' and '38eb1ed scripts/amber: fix fakechroot.'.

[19] uses the unshare Linux system call which requires root

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

Navigation menu