42
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]

Code: https://github.com/pkgforge/soar

Soar is like linuxbrew (homebrew) but whose packages are 100% static & relocatable on any Linux Distro.

top 10 comments
sorted by: hot top new old
[-] [email protected] 12 points 1 week ago

I have been using your stuff since they were called toolpacks.

https://moonpiedumplings.github.io/playground/ape-experiments/

Welcome to Lemmy, Azathothas. It's nice to see more and more usernames I recognize show up here.

[-] [email protected] 1 points 1 week ago

Wow! Thank you for that blog post, it was a great read.

I went through similar experience when experimenting with these tools, wish I can write a similar blog one day. Meanwhile, here's my takeaways:

APE/Cosmo

The project still has a long way to go especially for serving as drop-in-replacement for CC/compilers. And most programs I tried compiling required too much work (custom patches all over the place), to ever be able to scale up to thousands of packages.

Nix Bundle

This actually works & we used it quite a bit before running into the limitations. Ours is/was based on ralismark/nix-appimage, used bubblewrap & bundled to AppImages : https://github.com/pkgforge/nix-appimage

Guix/Guix pack

I was able to make guix pack relocatable, i.e work outside the store on another system with no guix, but the size was huge (even when compared to Nix bundle). And also guix is quite slow & expensive (even with substitutes), so we had to disable it.

You can still find a few packages from when we used to use guix

$ soar search guix
[-] bash#gnuguix.bash:bincache | 5.1.8 | static - GNU Bourne-Again Shell, the de facto standard shell on Linux (1.79 MiB)
[-] proot#gnuguix.proot-static:bincache | 5.3.0 | static - User-space implementation of chroot, bind mount, and binfmt_misc (1.15 MiB)

Appimage

Them requiring fuse2 is quite an old issue, and no longer true for appimages made post 2022. We have a lot of these properly made AppImages (even steam) that work on both glibc/musl and require no dependency. Check out: https://github.com/pkgforge-dev/Anylinux-AppImages

Python

There's only one project that provides truly static/relocatable python that work on both glibc/musl: https://github.com/leleliu008/python-distribution

All others are only partially static or meant only for either glibc or musl, not both.

Here, I would also like to introduce Sharun. This is the modern successor of staticx with many features, one of those include ability to pack python/pip packages very easily.

Here are some packages we have made using Sharun

$ soar search pypi
[-] anipy-cli#sharun.wrappe.pypi.anipy-cli:pkgcache | 3.5.8 | archive - Watch and Download Anime from the terminal (34.13 MiB)
[-] apprise#sharun.wrappe.pypi.apprise:pkgcache | 1.9.3 | archive - Send notifications from the command-line to popular notification services (23.83 MiB)
[-] archey#sharun.wrappe.pypi.archey:pkgcache | 4.15.0.0 | archive - A simple system information tool written in Python (24.88 MiB)
...and many more...

Soarpkgs (Formerly ToolPacks)

There are many more packages now (especially if you configure soar with soar defconfig --external): https://docs.pkgforge.dev/soar/readme/packages#total

But this came at the cost of discontinuing support for Android & Windows

We also had to discontinue upxed versions because we used up too much storage (yes, ironic)

The installation instruction & script have also been improved since, it now shows you what to do & where packages are installed.

Stal/Ix

We also added this as a source: https://github.com/pkgforge/soarpkgs/issues/191 And have a few packages already:

$ soar search stalix
[-] arti#stalix.bin_arti.stable:bincache | 1.4.1 | static - Tor reimplementation in Rust (22.61 MiB)
[-] fish#stalix.bin_fish.stable:bincache | 3.7.1 | static - Smart and User-friendly Command Line Shell (3.86 MiB)
[-] wget#stalix.bin_wget.stable:bincache | 1.25.0 | static - Tool for retrieving files using HTTP, HTTPS, and FTP (8.94 MiB)
[-] wget2#stalix.bin_wget_2.stable:bincache | 2.2.0 | static - The successor of GNU Wget, a file and recursive website downloader (10.50 MiB)

I also worked closely with the author to introduce binary caches & docker image.

Another project you might be interested in is ppkg: https://github.com/leleliu008/ppkg

This one can compile static binaries, even for BSDs. We have this in soarpkgs as well.

$ soar search ppkg
[-] alacritty#ppkg.alacritty:bincache | 0.15.1 | static - GPU-accelerated terminal emulator (14.75 MiB)
[-] dash#ppkg.dash:bincache | 0.5.12 | static - POSIX compliant shell that aims to be as small as possible (754.03 KiB)
... Total 334...

DockerC

Similar to your experience, dockerC indeed turned out to be quite underwhelming & we are slowly phasing these out from soarpkgs.

[-] [email protected] 1 points 4 days ago

There’s only one project that provides truly static/relocatable python that work on both glibc/musl: https://github.com/leleliu008/python-distribution

There is the python provided by APE/cosmo. They also have two other distributions containing various goodies, pypack1, and pypack2. https://cosmo.zip/pub/cosmos/bin/

But this came at the cost of discontinuing support for Android & Windows

I don't care about android support, but for the competition, and I don't really know about Windows support. Right now, RDP is used to authenticate and managed the machines, but maybe a portable VNC we can quickly spin up, so more than one person can be on the same machine, would be useful.

My original thought was to replace in place, insecure services with secure one's via something like docker containers or nix. But I think many of the machines have too little ram bundled libraries for the services to be viable. I actually tested replacing apache, but it simply wouldn't launch (I think the machine only had 2 GB of ram?).

[-] [email protected] 6 points 1 week ago
[-] [email protected] 5 points 1 week ago

I count 341 dependencies. This massive attack surface might be a problem for people who care about security.

To be clear, this is not unusual in the Rust ecosystem. It's a bit of an awkward situation: Rust's big value proposition is security through memory safety, but that is undermined by its not-especially-rich standard library and Cargo's encouragement of pulling in many dependencies. I hope this will improve in the years to come.

[-] [email protected] 5 points 1 week ago

Does it store a complete dependency graph for each of your statically built (or containerized) applications?

For example, if there's an exploit for libwebp and you need to update all the binaries that link it, can it find which binaries need updating from that information?

[-] [email protected] 2 points 1 week ago

Does it store a complete dependency graph for each of your statically built (or containerized) applications?

No. Though some of it can be inferred from the overtly verbose logs

For example, if there’s an exploit for libwebp and you need to update all the binaries that link it, can it find which binaries need updating from that information?

No again.

Currently, most packages are built from git HEAD on alpine:edge or debian-unstable build containers. So if the fix for this affected libwebp is shipped to the images that the build containers are based on (likely because we use edge/unstable images), then any affected packages would also automatically receive this fix.

To store a complete dependency graph, we will most likely need some custom tooling because our build recipes differ wildly for each package. If you have any ideas, please open a discussion on the repo. Thanks!

[-] [email protected] 2 points 1 week ago

Thanks for the reply.

Currently, most packages are built from git HEAD on alpine:edge or debian-unstable build containers. So if the fix for this affected libwebp is shipped to the images that the build containers are based on (likely because we use edge/unstable images), then any affected packages would also automatically receive this fix.

How often do packages get rebuilt? Is it only when there's a new version? The problem in that case would be that a package that is no longer developed (or has very long release cycles) would not receive the fix.

[-] [email protected] 5 points 1 week ago

How often do packages get rebuilt? Is it only when there’s a new version?

Yes, only if there's a new version.

The problem in that case would be that a package that is no longer developed (or has very long release cycles) would not receive the fix.

We specifically mark these kinds of packages as outdated (even deprecated) if they are older than 90 days

Currently, the stats:

This will improve if we can get more builders, currently we use the free CI provided by github actions

[-] [email protected] 2 points 1 week ago

Interesting, thanks!

this post was submitted on 29 May 2025
42 points (95.7% liked)

Linux

10886 readers
361 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS