Found with AI assistance.
Co-authored-by: Etienne Champetier <champetier.etienne@gmail.com>
## The archive format
-In the [repo](repo) section, the concept of objects was introduced,
+In the [repo](repo.md) section, the concept of objects was introduced,
where file/content objects are checksummed and managed individually.
(Unlike a package system, which operates on compressed aggregates).
file, and policies can be applied to e.g. require that code executed
by the root user have a valid signed digest.
-The alignment between Linux IMA and ostree is quite strong. OSTree
+The alignment between Linux IMA and OSTree is quite strong. OSTree
provides a content-addressable object store, where files are intended
to be immutable. This is implemented with a basic read-only bind mount.
## IMA signatures and OSTree checksum
Mechanically, IMA signatures appear as a `security.ima` extended attribute
-on the file. This is a signed digest of just the file content (and not
-any metadata)
+on the file. This is a signed digest of just the file content (i.e. not including file metadata).
OSTree's checksums in contrast include not just the file content, but also
metadata such as uid, gid and mode and extended attributes;
## Projects linking to libostree
[rpm-ostree](https://github.com/projectatomic/rpm-ostree) is used by the
-Fedora-derived operating systems listed above. It is a full hybrid
-image/package system. By default it uses libostree to atomically replicate a base OS
+Fedora-derived operating systems listed above. It is a full hybrid
+image/package system. By default it uses libostree to atomically replicate a base OS
(all dependency resolution is done on the server), but it supports "package layering", where
-additional RPMs can be layered on top of the base. This brings a "best of both worlds""
+additional RPMs can be layered on top of the base. This brings a "best of both worlds"
model for image and package systems.
[eos-updater](https://github.com/endlessm/eos-updater) is a daemon that implements updates
for statically compiled languages. Here's a list of such bindings:
- [ostree-go](https://github.com/ostreedev/ostree-go/)
- - [ostree-rs](./rust-bindings)
+ - [ostree-rs](https://docs.rs/crate/ostree/latest) (included in this repo)
## Building
and the overall status in the [COPYING](https://github.com/ostreedev/ostree/blob/main/COPYING)
file in the source. Currently, that's LGPLv2+. This also covers the man pages and API docs.
-The license for the manual documentation in the `doc/` directory is:
+The license for the manual documentation in the `docs/` directory is:
`SPDX-License-Identifier: (CC-BY-SA-3.0 OR GFDL-1.3-or-later)`
This is intended to allow use by Wikipedia and other projects.
should be triggered serially by other jobs).
There is some more information on the design of the summary file in
-[Repo](repo.md).
+[repo](repo.md).
## Pruning our build and dev repositories
can generate "scratch" (aka `--empty` deltas) which bundle all
objects for that commit.
-The tradeoff here is increasing server disk space in return
-for many fewer client HTTP requests.
+The tradeoff here is increased server disk space for fewer client HTTP requests.
For example:
It is still strongly recommended to use systemd `tmpfiles.d` snippets
to populate directory structure and the like in `/var` on firstboot,
-because this is more resilent.
+because this is more resilient.
Even better, use `StateDirectory=` for systemd units.
On subsequent upgrades, normally `/var` would not be empty anymore
(as it's typically expected that basics like `/var/tmp` etc. are created,
if not also other local state such as `/var/log` etc.). Hence,
-*no updates* from the commit/container will be applied.
+no updates *to existing files* from the commit/container will be applied.
To be clear then:
projects / ostree.git / commitdiff