release: 0.3.7

Signed-off-by: Ophestra <cat@gensokyo.uk>

README.md

@@ -1,5 +1,5 @@
 <p align="center">
-  <a href="https://git.gensokyo.uk/security/hakurei">
+  <a href="https://git.gensokyo.uk/rosa/hakurei">
     <picture>
       <img src="https://basement.gensokyo.uk/images/yukari1.png" width="200px" alt="Yukari">
     </picture>
@@ -8,16 +8,16 @@
 
 <p align="center">
   <a href="https://pkg.go.dev/hakurei.app"><img src="https://pkg.go.dev/badge/hakurei.app.svg" alt="Go Reference" /></a>
-  <a href="https://git.gensokyo.uk/security/hakurei/actions"><img src="https://git.gensokyo.uk/security/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/actions"><img src="https://git.gensokyo.uk/rosa/hakurei/actions/workflows/test.yml/badge.svg?branch=staging&style=flat-square" alt="Gitea Workflow Status" /></a>
   <br/>
-  <a href="https://git.gensokyo.uk/security/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/security/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
+  <a href="https://git.gensokyo.uk/rosa/hakurei/releases"><img src="https://img.shields.io/gitea/v/release/rosa/hakurei?gitea_url=https%3A%2F%2Fgit.gensokyo.uk&color=purple" alt="Release" /></a>
   <a href="https://goreportcard.com/report/hakurei.app"><img src="https://goreportcard.com/badge/hakurei.app" alt="Go Report Card" /></a>
   <a href="https://hakurei.app"><img src="https://img.shields.io/website?url=https%3A%2F%2Fhakurei.app" alt="Website" /></a>
 </p>
 
 Hakurei is a tool for running sandboxed desktop applications as dedicated
 subordinate users on the Linux kernel. It implements the application container
-of [planterette (WIP)](https://git.gensokyo.uk/security/planterette), a
+of [planterette (WIP)](https://git.gensokyo.uk/rosa/planterette), a
 self-contained Android-like package manager with modern security features.
 
 Interaction with hakurei happens entirely through structures described by
@@ -62,4 +62,4 @@ are very likely to be rejected.
 ## NixOS Module (deprecated)
 
 The NixOS module is in maintenance mode and will be removed once planterette is
-feature-complete. Full module documentation can be found [here](options.md).
+feature-complete. Full module documentation can be found [here](options.md).

cmd/earlyinit/main.go

@@ -4,6 +4,7 @@ import (
 	"log"
 	"os"
 	"runtime"
+	"strings"
 	. "syscall"
 )
 
@@ -12,6 +13,22 @@ func main() {
 	log.SetFlags(0)
 	log.SetPrefix("earlyinit: ")
 
+	var (
+		option map[string]string
+		flags  []string
+	)
+	if len(os.Args) > 1 {
+		option = make(map[string]string)
+		for _, s := range os.Args[1:] {
+			key, value, ok := strings.Cut(s, "=")
+			if !ok {
+				flags = append(flags, s)
+				continue
+			}
+			option[key] = value
+		}
+	}
+
 	if err := Mount(
 		"devtmpfs",
 		"/dev/",
@@ -55,4 +72,56 @@ func main() {
 		}
 	}
 
+	// staying in rootfs, these are no longer used
+	must(os.Remove("/root"))
+	must(os.Remove("/init"))
+
+	must(os.Mkdir("/proc", 0))
+	mustSyscall("mount proc", Mount(
+		"proc",
+		"/proc",
+		"proc",
+		MS_NOSUID|MS_NOEXEC|MS_NODEV,
+		"hidepid=1",
+	))
+
+	must(os.Mkdir("/sys", 0))
+	mustSyscall("mount sysfs", Mount(
+		"sysfs",
+		"/sys",
+		"sysfs",
+		0,
+		"",
+	))
+
+	// after top level has been set up
+	mustSyscall("remount root", Mount(
+		"",
+		"/",
+		"",
+		MS_REMOUNT|MS_BIND|
+			MS_RDONLY|MS_NODEV|MS_NOSUID|MS_NOEXEC,
+		"",
+	))
+
+	must(os.WriteFile(
+		"/sys/module/firmware_class/parameters/path",
+		[]byte("/system/lib/firmware"),
+		0,
+	))
+
+}
+
+// mustSyscall calls [log.Fatalln] if err is non-nil.
+func mustSyscall(action string, err error) {
+	if err != nil {
+		log.Fatalln("cannot "+action+":", err)
+	}
+}
+
+// must calls [log.Fatal] with err if it is non-nil.
+func must(err error) {
+	if err != nil {
+		log.Fatal(err)
+	}
 }

cmd/hakurei/command.go

@@ -16,6 +16,7 @@ import (
 	"hakurei.app/command"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
+	"hakurei.app/container/std"
 	"hakurei.app/hst"
 	"hakurei.app/internal/dbus"
 	"hakurei.app/internal/env"
@@ -88,7 +89,9 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			flagGroups   command.RepeatableFlag
 			flagHomeDir  string
 			flagUserName string
-			flagSched    string
+
+			flagSchedPolicy   string
+			flagSchedPriority int
 
 			flagPrivateRuntime, flagPrivateTmpdir bool
 
@@ -178,9 +181,12 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				},
 			}
 
-			if err := config.SchedPolicy.UnmarshalText([]byte(flagSched)); err != nil {
+			if err := config.SchedPolicy.UnmarshalText(
+				[]byte(flagSchedPolicy),
+			); err != nil {
 				log.Fatal(err)
 			}
+			config.SchedPriority = std.Int(flagSchedPriority)
 
 			// bind GPU stuff
 			if et&(hst.EX11|hst.EWayland) != 0 {
@@ -292,8 +298,10 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				"Container home directory").
 			Flag(&flagUserName, "u", command.StringFlag("chronos"),
 				"Passwd user name within sandbox").
-			Flag(&flagSched, "sched", command.StringFlag(""),
+			Flag(&flagSchedPolicy, "policy", command.StringFlag(""),
 				"Scheduling policy to set for the container").
+			Flag(&flagSchedPriority, "priority", command.IntFlag(0),
+				"Scheduling priority to set for the container").
 			Flag(&flagPrivateRuntime, "private-runtime", command.BoolFlag(false),
 				"Do not share XDG_RUNTIME_DIR between containers under the same identity").
 			Flag(&flagPrivateTmpdir, "private-tmpdir", command.BoolFlag(false),

cmd/hakurei/command_test.go

@@ -36,7 +36,7 @@ Commands:
 		},
 		{
 			"run", []string{"run", "-h"}, `
-Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--sched <value>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
+Usage:	hakurei run [-h | --help] [--dbus-config <value>] [--dbus-system <value>] [--mpris] [--dbus-log] [--id <value>] [-a <int>] [-g <value>] [-d <value>] [-u <value>] [--policy <value>] [--priority <int>] [--private-runtime] [--private-tmpdir] [--wayland] [-X] [--dbus] [--pipewire] [--pulse] COMMAND [OPTIONS]
 
 Flags:
   -X	Enable direct connection to X11
@@ -60,14 +60,16 @@ Flags:
     	Allow owning MPRIS D-Bus path, has no effect if custom config is available
   -pipewire
     	Enable connection to PipeWire via SecurityContext
+  -policy string
+    	Scheduling policy to set for the container
+  -priority int
+    	Scheduling priority to set for the container
   -private-runtime
     	Do not share XDG_RUNTIME_DIR between containers under the same identity
   -private-tmpdir
     	Do not share TMPDIR between containers under the same identity
   -pulse
     	Enable PulseAudio compatibility daemon
-  -sched string
-    	Scheduling policy to set for the container
   -u string
     	Passwd user name within sandbox (default "chronos")
   -wayland

cmd/mbf/main.go

@@ -175,6 +175,17 @@ func main() {
 							fmt.Println("website     : " +
 								strings.TrimSuffix(meta.Website, "/"))
 						}
+						if len(meta.Dependencies) > 0 {
+							fmt.Print("depends on  :")
+							for _, d := range meta.Dependencies {
+								s := rosa.GetMetadata(d).Name
+								if version := rosa.Std.Version(d); version != rosa.Unversioned {
+									s += "-" + version
+								}
+								fmt.Print(" " + s)
+							}
+							fmt.Println()
+						}
 
 						const statusPrefix = "status      : "
 						if flagStatus {
@@ -423,7 +434,8 @@ func main() {
 
 	{
 		var (
-			flagDump string
+			flagDump   string
+			flagExport string
 		)
 		c.NewCommand(
 			"cure",
@@ -436,10 +448,34 @@ func main() {
 					return fmt.Errorf("unknown artifact %q", args[0])
 				} else if flagDump == "" {
 					pathname, _, err := cache.Cure(rosa.Std.Load(p))
-					if err == nil {
-						log.Println(pathname)
+					if err != nil {
+						return err
 					}
-					return err
+					log.Println(pathname)
+
+					if flagExport != "" {
+						msg.Verbosef("exporting %s to %s...", args[0], flagExport)
+
+						var f *os.File
+						if f, err = os.OpenFile(
+							flagExport,
+							os.O_WRONLY|os.O_CREATE|os.O_EXCL,
+							0400,
+						); err != nil {
+							return err
+						} else if _, err = pkg.Flatten(
+							os.DirFS(pathname.String()),
+							".",
+							f,
+						); err != nil {
+							_ = f.Close()
+							return err
+						} else if err = f.Close(); err != nil {
+							return err
+						}
+					}
+
+					return nil
 				} else {
 					f, err := os.OpenFile(
 						flagDump,
@@ -463,6 +499,11 @@ func main() {
 				&flagDump,
 				"dump", command.StringFlag(""),
 				"Write IR to specified pathname and terminate",
+			).
+			Flag(
+				&flagExport,
+				"export", command.StringFlag(""),
+				"Export cured artifact to specified pathname",
 			)
 	}
 
@@ -477,17 +518,19 @@ func main() {
 			"shell",
 			"Interactive shell in the specified Rosa OS environment",
 			func(args []string) error {
-				root := make([]pkg.Artifact, 0, 6+len(args))
-				for _, arg := range args {
+				presets := make([]rosa.PArtifact, len(args))
+				for i, arg := range args {
 					p, ok := rosa.ResolveName(arg)
 					if !ok {
 						return fmt.Errorf("unknown artifact %q", arg)
 					}
-					root = append(root, rosa.Std.Load(p))
+					presets[i] = p
 				}
+				root := make(rosa.Collect, 0, 6+len(args))
+				root = rosa.Std.AppendPresets(root, presets...)
 
 				if flagWithToolchain {
-					musl, compilerRT, runtimes, clang := rosa.Std.NewLLVM()
+					musl, compilerRT, runtimes, clang := (rosa.Std - 1).NewLLVM()
 					root = append(root, musl, compilerRT, runtimes, clang)
 				} else {
 					root = append(root, rosa.Std.Load(rosa.Musl))
@@ -497,6 +540,12 @@ func main() {
 					rosa.Std.Load(rosa.Toybox),
 				)
 
+				if _, _, err := cache.Cure(&root); err == nil {
+					return errors.New("unreachable")
+				} else if !errors.Is(err, rosa.Collected{}) {
+					return err
+				}
+
 				type cureRes struct {
 					pathname *check.Absolute
 					checksum unique.Handle[pkg.Checksum]

hst/config.go

@@ -82,7 +82,7 @@ type Config struct {
 	//
 	// Do not set this to true, it is insecure under any configuration.
 	//
-	// [the /.flatpak-info hack]: https://git.gensokyo.uk/security/hakurei/issues/21
+	// [the /.flatpak-info hack]: https://git.gensokyo.uk/rosa/hakurei/issues/21
 	DirectPipeWire bool `json:"direct_pipewire,omitempty"`
 
 	// Direct access to PulseAudio socket, no attempt is made to establish
@@ -104,9 +104,15 @@ type Config struct {
 	// Init user namespace supplementary groups inherited by all container processes.
 	Groups []string `json:"groups"`
 
-	// Scheduling policy to set for the container. The zero value retains the
-	// current scheduling policy.
+	// Scheduling policy to set for the container.
+	//
+	// The zero value retains the current scheduling policy.
 	SchedPolicy std.SchedPolicy `json:"sched_policy,omitempty"`
+	// Scheduling priority to set for the container.
+	//
+	// The zero value implies the minimum priority of the current SchedPolicy.
+	// Has no effect if SchedPolicy is zero.
+	SchedPriority std.Int `json:"sched_priority,omitempty"`
 
 	// High level configuration applied to the underlying [container].
 	Container *ContainerConfig `json:"container"`

internal/outcome/outcome.go

@@ -100,7 +100,8 @@ func newOutcomeState(k syscallDispatcher, msg message.Msg, id *hst.ID, config *h
 			PrivPID: k.getpid(),
 			Verbose: msg.IsVerbose(),
 
-			SchedPolicy: config.SchedPolicy,
+			SchedPolicy:   config.SchedPolicy,
+			SchedPriority: config.SchedPriority,
 		},
 
 		ID:       id,

internal/outcome/shim.go

@@ -75,6 +75,8 @@ type shimParams struct {
 
 	// Copied from [hst.Config].
 	SchedPolicy std.SchedPolicy
+	// Copied from [hst.Config].
+	SchedPriority std.Int
 
 	// Outcome setup ops, contains setup state. Populated by outcome.finalise.
 	Ops []outcomeOp
@@ -276,6 +278,7 @@ func shimEntrypoint(k syscallDispatcher) {
 	z := container.New(ctx, msg)
 	z.SetScheduler = state.Shim.SchedPolicy > 0
 	z.SchedPolicy = state.Shim.SchedPolicy
+	z.SchedPriority = state.Shim.SchedPriority
 	z.Params = *stateParams.params
 	z.Stdin, z.Stdout, z.Stderr = os.Stdin, os.Stdout, os.Stderr
 

internal/rosa/acl.go

@@ -101,6 +101,10 @@ func init() {
 		Description: "Commands for Manipulating POSIX Access Control Lists",
 		Website:     "https://savannah.nongnu.org/projects/acl/",
 
+		Dependencies: P{
+			Attr,
+		},
+
 		ID: 16,
 	}
 }

internal/rosa/all.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"net/http"
 	"strconv"
 	"sync"
@@ -19,8 +20,10 @@ const (
 	LLVMRuntimes
 	LLVMClang
 
-	// EarlyInit is the Rosa OS initramfs init program.
+	// EarlyInit is the Rosa OS init program.
 	EarlyInit
+	// ImageSystem is the Rosa OS /system image.
+	ImageSystem
 	// ImageInitramfs is the Rosa OS initramfs archive.
 	ImageInitramfs
 
@@ -167,6 +170,36 @@ const (
 	PresetEnd
 )
 
+// P represents multiple [PArtifact] and is stable through JSON.
+type P []PArtifact
+
+// MarshalJSON represents [PArtifact] by their [Metadata.Name].
+func (s P) MarshalJSON() ([]byte, error) {
+	names := make([]string, len(s))
+	for i, p := range s {
+		names[i] = GetMetadata(p).Name
+	}
+	return json.Marshal(names)
+}
+
+// UnmarshalJSON resolves the value created by MarshalJSON back to [P].
+func (s *P) UnmarshalJSON(data []byte) error {
+	var names []string
+	if err := json.Unmarshal(data, &names); err != nil {
+		return err
+	}
+
+	*s = make(P, len(names))
+	for i, name := range names {
+		if p, ok := ResolveName(name); !ok {
+			return fmt.Errorf("unknown artifact %q", name)
+		} else {
+			(*s)[i] = p
+		}
+	}
+	return nil
+}
+
 // Metadata is stage-agnostic information of a [PArtifact] not directly
 // representable in the resulting [pkg.Artifact].
 type Metadata struct {
@@ -179,6 +212,9 @@ type Metadata struct {
 	// Project home page.
 	Website string `json:"website,omitempty"`
 
+	// Runtime dependencies.
+	Dependencies P `json:"dependencies"`
+
 	// Project identifier on [Anitya].
 	//
 	// [Anitya]: https://release-monitoring.org/
@@ -256,9 +292,10 @@ var (
 	artifactsM [PresetEnd]Metadata
 
 	// artifacts stores the result of Metadata.f.
-	artifacts [_toolchainEnd][len(artifactsM)]pkg.Artifact
-	// versions stores the version of [PArtifact].
-	versions [_toolchainEnd][len(artifactsM)]string
+	artifacts [_toolchainEnd][len(artifactsM)]struct {
+		a pkg.Artifact
+		v string
+	}
 	// artifactsOnce is for lazy initialisation of artifacts.
 	artifactsOnce [_toolchainEnd][len(artifactsM)]sync.Once
 )
@@ -266,20 +303,23 @@ var (
 // GetMetadata returns [Metadata] of a [PArtifact].
 func GetMetadata(p PArtifact) *Metadata { return &artifactsM[p] }
 
+// construct constructs a [pkg.Artifact] corresponding to a [PArtifact] once.
+func (t Toolchain) construct(p PArtifact) {
+	artifactsOnce[t][p].Do(func() {
+		artifacts[t][p].a, artifacts[t][p].v = artifactsM[p].f(t)
+	})
+}
+
 // Load returns the resulting [pkg.Artifact] of [PArtifact].
 func (t Toolchain) Load(p PArtifact) pkg.Artifact {
-	artifactsOnce[t][p].Do(func() {
-		artifacts[t][p], versions[t][p] = artifactsM[p].f(t)
-	})
-	return artifacts[t][p]
+	t.construct(p)
+	return artifacts[t][p].a
 }
 
 // Version returns the version string of [PArtifact].
 func (t Toolchain) Version(p PArtifact) string {
-	artifactsOnce[t][p].Do(func() {
-		artifacts[t][p], versions[t][p] = artifactsM[p].f(t)
-	})
-	return versions[t][p]
+	t.construct(p)
+	return artifacts[t][p].v
 }
 
 // ResolveName returns a [PArtifact] by name.

internal/rosa/curl.go

@@ -4,24 +4,48 @@ import "hakurei.app/internal/pkg"
 
 func (t Toolchain) newCurl() (pkg.Artifact, string) {
 	const (
-		version  = "8.18.0"
-		checksum = "YpOolP_sx1DIrCEJ3elgVAu0wTLDS-EZMZFvOP0eha7FaLueZUlEpuMwDzJNyi7i"
+		version  = "8.19.0"
+		checksum = "YHuVLVVp8q_Y7-JWpID5ReNjq2Zk6t7ArHB6ngQXilp_R5l3cubdxu3UKo-xDByv"
 	)
 	return t.NewPackage("curl", version, pkg.NewHTTPGetTar(
 		nil, "https://curl.se/download/curl-"+version+".tar.bz2",
 		mustDecode(checksum),
 		pkg.TarBzip2,
-	), nil, &MakeHelper{
+	), &PackageAttr{
+		Patches: [][2]string{
+			{"test459-misplaced-line-break", `diff --git a/tests/data/test459 b/tests/data/test459
+index 7a2e1db7b3..cc716aa65a 100644
+--- a/tests/data/test459
++++ b/tests/data/test459
+@@ -54,8 +54,8 @@ Content-Type: application/x-www-form-urlencoded
+ arg
+ </protocol>
+ <stderr mode="text">
+-Warning: %LOGDIR/config:1 Option 'data' uses argument with unquoted whitespace.%SP
+-Warning: This may cause side-effects. Consider double quotes.
++Warning: %LOGDIR/config:1 Option 'data' uses argument with unquoted%SP
++Warning: whitespace. This may cause side-effects. Consider double quotes.
+ </stderr>
+ </verify>
+ </testcase>
+`},
+		},
+	}, &MakeHelper{
 		Configure: [][2]string{
 			{"with-openssl"},
 			{"with-ca-bundle", "/system/etc/ssl/certs/ca-bundle.crt"},
+
+			{"disable-smb"},
 		},
 		Check: []string{
-			"TFLAGS=-j256",
-			"check",
+			`TFLAGS="-j$(expr "$(nproc)" '*' 2)"`,
+			"test-nonflaky",
 		},
 	},
 		Perl,
+		Python,
+		PkgConfig,
+		Diffutils,
 
 		Libpsl,
 		OpenSSL,
@@ -35,6 +59,11 @@ func init() {
 		Description: "command line tool and library for transferring data with URLs",
 		Website:     "https://curl.se/",
 
+		Dependencies: P{
+			Libpsl,
+			OpenSSL,
+		},
+
 		ID: 381,
 	}
 }

internal/rosa/elfutils.go

@@ -46,6 +46,14 @@ func init() {
 		Description: "utilities and libraries to handle ELF files and DWARF data",
 		Website:     "https://sourceware.org/elfutils/",
 
+		Dependencies: P{
+			Zlib,
+			Bzip2,
+			Zstd,
+			MuslFts,
+			MuslObstack,
+		},
+
 		ID: 5679,
 	}
 }

internal/rosa/fakeroot.go

@@ -36,9 +36,6 @@ index f135ad9..85c784c 100644
 		// makes assumptions about /etc/passwd
 		SkipCheck: true,
 	},
-		M4,
-		Perl,
-		Autoconf,
 		Automake,
 		Libtool,
 		PkgConfig,

internal/rosa/fuse.go

@@ -24,10 +24,6 @@ func (t Toolchain) newFuse() (pkg.Artifact, string) {
 		// this project uses pytest
 		SkipTest: true,
 	},
-		PythonIniConfig,
-		PythonPackaging,
-		PythonPluggy,
-		PythonPygments,
 		PythonPyTest,
 
 		KernelHeaders,

internal/rosa/git.go

@@ -52,16 +52,18 @@ disable_test t2200-add-update
 			`GIT_PROVE_OPTS="--jobs 32 --failures"`,
 			"prove",
 		},
+		Install: `make \
+	"-j$(nproc)" \
+	DESTDIR=/work \
+	NO_INSTALL_HARDLINKS=1 \
+	install`,
 	},
-		Perl,
 		Diffutils,
-		M4,
 		Autoconf,
 		Gettext,
 
 		Zlib,
 		Curl,
-		OpenSSL,
 		Libexpat,
 	), version
 }
@@ -73,6 +75,12 @@ func init() {
 		Description: "distributed version control system",
 		Website:     "https://www.git-scm.com/",
 
+		Dependencies: P{
+			Zlib,
+			Curl,
+			Libexpat,
+		},
+
 		ID: 5350,
 	}
 }
@@ -82,14 +90,10 @@ func (t Toolchain) NewViaGit(
 	name, url, rev string,
 	checksum pkg.Checksum,
 ) pkg.Artifact {
-	return t.New(name+"-"+rev, 0, []pkg.Artifact{
-		t.Load(NSSCACert),
-		t.Load(OpenSSL),
-		t.Load(Libpsl),
-		t.Load(Curl),
-		t.Load(Libexpat),
-		t.Load(Git),
-	}, &checksum, nil, `
+	return t.New(name+"-"+rev, 0, t.AppendPresets(nil,
+		NSSCACert,
+		Git,
+	), &checksum, nil, `
 git \
 	-c advice.detachedHead=false \
 	clone \

internal/rosa/gnu.go

@@ -117,6 +117,11 @@ func init() {
 		Description: "M4 macros to produce self-contained configure script",
 		Website:     "https://www.gnu.org/software/autoconf/",
 
+		Dependencies: P{
+			M4,
+			Perl,
+		},
+
 		ID: 141,
 	}
 }
@@ -143,8 +148,6 @@ test_disable '#!/bin/sh' t/distname.sh
 test_disable '#!/bin/sh' t/pr9.sh
 `,
 	}, (*MakeHelper)(nil),
-		M4,
-		Perl,
 		Grep,
 		Gzip,
 		Autoconf,
@@ -159,6 +162,10 @@ func init() {
 		Description: "a tool for automatically generating Makefile.in files",
 		Website:     "https://www.gnu.org/software/automake/",
 
+		Dependencies: P{
+			Autoconf,
+		},
+
 		ID: 144,
 	}
 }
@@ -524,6 +531,11 @@ func init() {
 		Description: "the GNU square-wheel-reinvension of man pages",
 		Website:     "https://www.gnu.org/software/texinfo/",
 
+		Dependencies: P{
+			Perl,
+			Gawk,
+		},
+
 		ID: 4958,
 	}
 }
@@ -660,7 +672,6 @@ func (t Toolchain) newBC() (pkg.Artifact, string) {
 		Writable: true,
 		Chmod:    true,
 	}, (*MakeHelper)(nil),
-		Perl,
 		Texinfo,
 	), version
 }
@@ -762,6 +773,10 @@ func init() {
 		Description: "a shell tool for executing jobs in parallel using one or more computers",
 		Website:     "https://www.gnu.org/software/parallel/",
 
+		Dependencies: P{
+			Perl,
+		},
+
 		ID: 5448,
 	}
 }
@@ -839,6 +854,10 @@ func init() {
 		Description: "a C library for multiple-precision floating-point computations",
 		Website:     "https://www.mpfr.org/",
 
+		Dependencies: P{
+			GMP,
+		},
+
 		ID: 2019,
 	}
 }
@@ -854,7 +873,6 @@ func (t Toolchain) newMPC() (pkg.Artifact, string) {
 		mustDecode(checksum),
 		pkg.TarGzip,
 	), nil, (*MakeHelper)(nil),
-		GMP,
 		MPFR,
 	), version
 }
@@ -866,6 +884,10 @@ func init() {
 		Description: "a C library for the arithmetic of complex numbers",
 		Website:     "https://www.multiprecision.org/",
 
+		Dependencies: P{
+			MPFR,
+		},
+
 		ID: 1667,
 	}
 }
@@ -1063,10 +1085,7 @@ ln -s system/lib /work/
 	},
 		Binutils,
 
-		GMP,
-		MPFR,
 		MPC,
-
 		Zlib,
 		Libucontext,
 		KernelHeaders,
@@ -1080,6 +1099,14 @@ func init() {
 		Description: "The GNU Compiler Collection",
 		Website:     "https://www.gnu.org/software/gcc/",
 
+		Dependencies: P{
+			Binutils,
+
+			MPC,
+			Zlib,
+			Libucontext,
+		},
+
 		ID: 6502,
 	}
 }

internal/rosa/go.go

@@ -74,22 +74,8 @@ func (t Toolchain) newGoLatest() (pkg.Artifact, string) {
 		bootstrapExtra = append(bootstrapExtra, t.newGoBootstrap())
 
 	case "arm64":
-		bootstrapEnv = append(bootstrapEnv,
-			"GOROOT_BOOTSTRAP=/system",
-		)
-		bootstrapExtra = append(bootstrapExtra,
-			t.Load(Binutils),
-
-			t.Load(GMP),
-			t.Load(MPFR),
-			t.Load(MPC),
-
-			t.Load(Zlib),
-			t.Load(Libucontext),
-
-			t.Load(gcc),
-		)
-
+		bootstrapEnv = append(bootstrapEnv, "GOROOT_BOOTSTRAP=/system")
+		bootstrapExtra = t.AppendPresets(bootstrapExtra, gcc)
 		finalEnv = append(finalEnv, "CGO_ENABLED=0")
 
 	default:

internal/rosa/gtk.go

@@ -9,8 +9,8 @@ import (
 
 func (t Toolchain) newGLib() (pkg.Artifact, string) {
 	const (
-		version  = "2.87.3"
-		checksum = "iKSLpzZZVfmAZZmqfO1y6uHdlIks4hzPWrqeUCp4ZeQjrPFA3aAa4OmrBYMNS-Si"
+		version  = "2.87.5"
+		checksum = "L5jurSfyCTlcSTfx-1RBHbNZPL0HnNQakmFXidgAV1JFu0lbytowCCBAALTp-WGc"
 	)
 	return t.NewPackage("glib", version, pkg.NewHTTPGet(
 		nil, "https://download.gnome.org/sources/glib/"+
@@ -56,6 +56,12 @@ func init() {
 		Description: "the GNU library of miscellaneous stuff",
 		Website:     "https://developer.gnome.org/glib/",
 
+		Dependencies: P{
+			PCRE2,
+			Libffi,
+			Zlib,
+		},
+
 		ID: 10024,
 	}
 }

internal/rosa/hakurei.go

@@ -15,29 +15,23 @@ echo
 		hostname = ""
 	}
 
-	return t.New("hakurei"+suffix+"-"+hakureiVersion, 0, []pkg.Artifact{
-		t.Load(Go),
+	return t.New("hakurei"+suffix+"-"+hakureiVersion, 0, t.AppendPresets(nil,
+		Go,
+		PkgConfig,
 
-		t.Load(Gzip),
-		t.Load(PkgConfig),
+		// dist tarball
+		Gzip,
 
-		t.Load(KernelHeaders),
-		t.Load(Libseccomp),
-		t.Load(ACL),
-		t.Load(Attr),
-		t.Load(Fuse),
+		// statically linked
+		Libseccomp,
+		ACL,
+		Fuse,
+		XCB,
+		Wayland,
+		WaylandProtocols,
 
-		t.Load(Xproto),
-		t.Load(LibXau),
-		t.Load(XCBProto),
-		t.Load(XCB),
-
-		t.Load(Libffi),
-		t.Load(Libexpat),
-		t.Load(Libxml2),
-		t.Load(Wayland),
-		t.Load(WaylandProtocols),
-	}, nil, []string{
+		KernelHeaders,
+	), nil, []string{
 		"CGO_ENABLED=1",
 		"GOCACHE=/tmp/gocache",
 		"CC=clang -O3 -Werror",

internal/rosa/images.go

@@ -1,6 +1,9 @@
 package rosa
 
-import "hakurei.app/internal/pkg"
+import (
+	"hakurei.app/container/fhs"
+	"hakurei.app/internal/pkg"
+)
 
 func init() {
 	artifactsM[EarlyInit] = Metadata{
@@ -24,12 +27,36 @@ echo
 	}
 }
 
+func (t Toolchain) newImageSystem() (pkg.Artifact, string) {
+	return t.New("system.img", TNoToolchain, t.AppendPresets(nil,
+		SquashfsTools,
+	), nil, nil, `
+mksquashfs /mnt/system /work/system.img
+`, pkg.Path(fhs.AbsRoot.Append("mnt"), false, t.AppendPresets(nil,
+		Musl,
+		Mksh,
+		Toybox,
+
+		Kmod,
+		Kernel,
+		Firmware,
+	)...)), Unversioned
+}
+func init() {
+	artifactsM[ImageSystem] = Metadata{
+		Name:        "system-image",
+		Description: "Rosa OS system image",
+
+		f: Toolchain.newImageSystem,
+	}
+}
+
 func (t Toolchain) newImageInitramfs() (pkg.Artifact, string) {
-	return t.New("initramfs", TNoToolchain, []pkg.Artifact{
-		t.Load(Zstd),
-		t.Load(EarlyInit),
-		t.Load(GenInitCPIO),
-	}, nil, nil, `
+	return t.New("initramfs", TNoToolchain, t.AppendPresets(nil,
+		Zstd,
+		EarlyInit,
+		GenInitCPIO,
+	), nil, nil, `
 gen_init_cpio -t 4294967295 -c /usr/src/initramfs | zstd > /work/initramfs.zst
 `, pkg.Path(AbsUsrSrc.Append("initramfs"), false, pkg.NewFile("initramfs", []byte(`
 dir /dev 0755 0 0

internal/rosa/kernel.go

@@ -1246,13 +1246,9 @@ rm -v /work/system/lib/modules/` + kernelVersion + `/build
 		Python,
 
 		XZ,
-		Zlib,
 		Gzip,
-		Bzip2,
-		Zstd,
 		Kmod,
 		Elfutils,
-		OpenSSL,
 		UtilLinux,
 		KernelHeaders,
 	), kernelVersion
@@ -1286,8 +1282,8 @@ func init() {
 
 func (t Toolchain) newFirmware() (pkg.Artifact, string) {
 	const (
-		version  = "20260221"
-		checksum = "vTENPW5rZ6yLVq7YKDLHkCVgKXvwUWigEx7T4LcxoKeBVYIyf1_sEExeV4mo-e46"
+		version  = "20260309"
+		checksum = "M1az8BxSiOEH3LA11Trc5VAlakwAHhP7-_LKWg6k-SVIzU3xclMDO4Tiujw1gQrC"
 	)
 	return t.NewPackage("firmware", version, pkg.NewHTTPGetTar(
 		nil, "https://gitlab.com/kernel-firmware/linux-firmware/-/"+
@@ -1315,9 +1311,7 @@ func (t Toolchain) newFirmware() (pkg.Artifact, string) {
 		SkipCheck: true, // requires pre-commit
 		Install:   `make "-j$(nproc)" DESTDIR=/work/system dedup`,
 	},
-		Perl,
 		Parallel,
-		Nettle,
 		Rdfind,
 		Zstd,
 		Findutils,

internal/rosa/kernel_amd64.config

@@ -2,15 +2,15 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/x86 6.12.76 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.0"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.1"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220100
+CONFIG_CLANG_VERSION=220101
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220100
+CONFIG_AS_VERSION=220101
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220100
+CONFIG_LLD_VERSION=220101
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -2402,7 +2402,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 #
 # Firmware loader
 #
-CONFIG_FW_LOADER=m
+CONFIG_FW_LOADER=y
 CONFIG_FW_LOADER_DEBUG=y
 CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_FW_LOADER_SYSFS=y
@@ -2749,7 +2749,7 @@ CONFIG_BLK_DEV_NULL_BLK=m
 CONFIG_BLK_DEV_FD=m
 # CONFIG_BLK_DEV_FD_RAWCMD is not set
 CONFIG_CDROM=m
-CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m
+CONFIG_BLK_DEV_PCIESSD_MTIP32XX=y
 CONFIG_ZRAM=m
 # CONFIG_ZRAM_BACKEND_LZ4 is not set
 # CONFIG_ZRAM_BACKEND_LZ4HC is not set
@@ -2775,9 +2775,9 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
-CONFIG_VIRTIO_BLK=m
+CONFIG_XEN_BLKDEV_FRONTEND=y
+# CONFIG_XEN_BLKDEV_BACKEND is not set
+CONFIG_VIRTIO_BLK=y
 CONFIG_BLK_DEV_RBD=m
 CONFIG_BLK_DEV_UBLK=m
 CONFIG_BLKDEV_UBLK_LEGACY_OPCODES=y
@@ -2788,13 +2788,12 @@ CONFIG_BLK_DEV_RNBD_SERVER=m
 #
 # NVME Support
 #
-CONFIG_NVME_KEYRING=m
-CONFIG_NVME_AUTH=m
-CONFIG_NVME_CORE=m
-CONFIG_BLK_DEV_NVME=m
+CONFIG_NVME_KEYRING=y
+CONFIG_NVME_AUTH=y
+CONFIG_NVME_CORE=y
+CONFIG_BLK_DEV_NVME=y
 CONFIG_NVME_MULTIPATH=y
 # CONFIG_NVME_VERBOSE_ERRORS is not set
-CONFIG_NVME_HWMON=y
 CONFIG_NVME_FABRICS=m
 CONFIG_NVME_RDMA=m
 CONFIG_NVME_FC=m
@@ -2911,10 +2910,10 @@ CONFIG_KEBA_CP500=m
 #
 # SCSI device support
 #
-CONFIG_SCSI_MOD=m
+CONFIG_SCSI_MOD=y
 CONFIG_RAID_ATTRS=m
-CONFIG_SCSI_COMMON=m
-CONFIG_SCSI=m
+CONFIG_SCSI_COMMON=y
+CONFIG_SCSI=y
 CONFIG_SCSI_DMA=y
 CONFIG_SCSI_NETLINK=y
 CONFIG_SCSI_PROC_FS=y
@@ -2922,7 +2921,7 @@ CONFIG_SCSI_PROC_FS=y
 #
 # SCSI support type (disk, tape, CD-ROM)
 #
-CONFIG_BLK_DEV_SD=m
+CONFIG_BLK_DEV_SD=y
 CONFIG_CHR_DEV_ST=m
 CONFIG_BLK_DEV_SR=m
 CONFIG_CHR_DEV_SG=m
@@ -3042,7 +3041,7 @@ CONFIG_SCSI_DEBUG=m
 CONFIG_SCSI_PMCRAID=m
 CONFIG_SCSI_PM8001=m
 CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=m
+CONFIG_SCSI_VIRTIO=y
 CONFIG_SCSI_CHELSIO_FCOE=m
 CONFIG_SCSI_LOWLEVEL_PCMCIA=y
 CONFIG_PCMCIA_AHA152X=m
@@ -3052,7 +3051,7 @@ CONFIG_PCMCIA_SYM53C500=m
 # CONFIG_SCSI_DH is not set
 # end of SCSI device support
 
-CONFIG_ATA=m
+CONFIG_ATA=y
 CONFIG_SATA_HOST=y
 CONFIG_PATA_TIMINGS=y
 CONFIG_ATA_VERBOSE_ERROR=y
@@ -3064,39 +3063,39 @@ CONFIG_SATA_PMP=y
 #
 # Controllers with non-SFF native interface
 #
-CONFIG_SATA_AHCI=m
+CONFIG_SATA_AHCI=y
 CONFIG_SATA_MOBILE_LPM_POLICY=3
-CONFIG_SATA_AHCI_PLATFORM=m
-CONFIG_AHCI_DWC=m
-CONFIG_AHCI_CEVA=m
+CONFIG_SATA_AHCI_PLATFORM=y
+CONFIG_AHCI_DWC=y
+CONFIG_AHCI_CEVA=y
 CONFIG_SATA_INIC162X=m
-CONFIG_SATA_ACARD_AHCI=m
-CONFIG_SATA_SIL24=m
+CONFIG_SATA_ACARD_AHCI=y
+CONFIG_SATA_SIL24=y
 CONFIG_ATA_SFF=y
 
 #
 # SFF controllers with custom DMA interface
 #
-CONFIG_PDC_ADMA=m
-CONFIG_SATA_QSTOR=m
+CONFIG_PDC_ADMA=y
+CONFIG_SATA_QSTOR=y
 CONFIG_SATA_SX4=m
 CONFIG_ATA_BMDMA=y
 
 #
 # SATA SFF controllers with BMDMA
 #
-CONFIG_ATA_PIIX=m
-CONFIG_SATA_DWC=m
+CONFIG_ATA_PIIX=y
+CONFIG_SATA_DWC=y
 # CONFIG_SATA_DWC_OLD_DMA is not set
-CONFIG_SATA_MV=m
-CONFIG_SATA_NV=m
-CONFIG_SATA_PROMISE=m
-CONFIG_SATA_SIL=m
-CONFIG_SATA_SIS=m
-CONFIG_SATA_SVW=m
-CONFIG_SATA_ULI=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
+CONFIG_SATA_MV=y
+CONFIG_SATA_NV=y
+CONFIG_SATA_PROMISE=y
+CONFIG_SATA_SIL=y
+CONFIG_SATA_SIS=y
+CONFIG_SATA_SVW=y
+CONFIG_SATA_ULI=y
+CONFIG_SATA_VIA=y
+CONFIG_SATA_VITESSE=y
 
 #
 # PATA SFF controllers with BMDMA
@@ -3130,7 +3129,7 @@ CONFIG_PATA_RDC=m
 CONFIG_PATA_SCH=m
 CONFIG_PATA_SERVERWORKS=m
 CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=m
+CONFIG_PATA_SIS=y
 CONFIG_PATA_TOSHIBA=m
 CONFIG_PATA_TRIFLEX=m
 CONFIG_PATA_VIA=m
@@ -3172,8 +3171,8 @@ CONFIG_PATA_PARPORT_ON26=m
 #
 # Generic fallback / legacy drivers
 #
-CONFIG_PATA_ACPI=m
-CONFIG_ATA_GENERIC=m
+CONFIG_PATA_ACPI=y
+CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
@@ -9621,11 +9620,11 @@ CONFIG_EFI_SECRET=m
 CONFIG_SEV_GUEST=m
 CONFIG_TDX_GUEST_DRIVER=m
 CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO=m
-CONFIG_VIRTIO_PCI_LIB=m
-CONFIG_VIRTIO_PCI_LIB_LEGACY=m
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_PCI_LIB=y
+CONFIG_VIRTIO_PCI_LIB_LEGACY=y
 CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_PCI=m
+CONFIG_VIRTIO_PCI=y
 CONFIG_VIRTIO_PCI_ADMIN_LEGACY=y
 CONFIG_VIRTIO_PCI_LEGACY=y
 CONFIG_VIRTIO_VDPA=m

internal/rosa/kernel_arm64.config

@@ -2,15 +2,15 @@
 # Automatically generated file; DO NOT EDIT.
 # Linux/arm64 6.12.76 Kernel Configuration
 #
-CONFIG_CC_VERSION_TEXT="clang version 22.1.0"
+CONFIG_CC_VERSION_TEXT="clang version 22.1.1"
 CONFIG_GCC_VERSION=0
 CONFIG_CC_IS_CLANG=y
-CONFIG_CLANG_VERSION=220100
+CONFIG_CLANG_VERSION=220101
 CONFIG_AS_IS_LLVM=y
-CONFIG_AS_VERSION=220100
+CONFIG_AS_VERSION=220101
 CONFIG_LD_VERSION=0
 CONFIG_LD_IS_LLD=y
-CONFIG_LLD_VERSION=220100
+CONFIG_LLD_VERSION=220101
 CONFIG_RUSTC_VERSION=0
 CONFIG_RUSTC_LLVM_VERSION=0
 CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
@@ -2384,7 +2384,7 @@ CONFIG_PREVENT_FIRMWARE_BUILD=y
 #
 # Firmware loader
 #
-CONFIG_FW_LOADER=m
+CONFIG_FW_LOADER=y
 CONFIG_FW_LOADER_DEBUG=y
 CONFIG_FW_LOADER_PAGED_BUF=y
 CONFIG_FW_LOADER_SYSFS=y
@@ -2849,8 +2849,8 @@ CONFIG_CDROM_PKTCDVD=m
 CONFIG_CDROM_PKTCDVD_BUFFERS=8
 # CONFIG_CDROM_PKTCDVD_WCACHE is not set
 CONFIG_ATA_OVER_ETH=m
-CONFIG_XEN_BLKDEV_FRONTEND=m
-CONFIG_XEN_BLKDEV_BACKEND=m
+CONFIG_XEN_BLKDEV_FRONTEND=y
+# CONFIG_XEN_BLKDEV_BACKEND is not set
 CONFIG_VIRTIO_BLK=m
 CONFIG_BLK_DEV_RBD=m
 CONFIG_BLK_DEV_UBLK=m
@@ -2862,13 +2862,12 @@ CONFIG_BLK_DEV_RNBD_SERVER=m
 #
 # NVME Support
 #
-CONFIG_NVME_KEYRING=m
-CONFIG_NVME_AUTH=m
-CONFIG_NVME_CORE=m
-CONFIG_BLK_DEV_NVME=m
+CONFIG_NVME_KEYRING=y
+CONFIG_NVME_AUTH=y
+CONFIG_NVME_CORE=y
+CONFIG_BLK_DEV_NVME=y
 CONFIG_NVME_MULTIPATH=y
 # CONFIG_NVME_VERBOSE_ERRORS is not set
-CONFIG_NVME_HWMON=y
 CONFIG_NVME_FABRICS=m
 CONFIG_NVME_RDMA=m
 CONFIG_NVME_FC=m
@@ -2977,10 +2976,10 @@ CONFIG_KEBA_CP500=m
 #
 # SCSI device support
 #
-CONFIG_SCSI_MOD=m
+CONFIG_SCSI_MOD=y
 CONFIG_RAID_ATTRS=m
-CONFIG_SCSI_COMMON=m
-CONFIG_SCSI=m
+CONFIG_SCSI_COMMON=y
+CONFIG_SCSI=y
 CONFIG_SCSI_DMA=y
 CONFIG_SCSI_NETLINK=y
 CONFIG_SCSI_PROC_FS=y
@@ -2988,7 +2987,7 @@ CONFIG_SCSI_PROC_FS=y
 #
 # SCSI support type (disk, tape, CD-ROM)
 #
-CONFIG_BLK_DEV_SD=m
+CONFIG_BLK_DEV_SD=y
 CONFIG_CHR_DEV_ST=m
 CONFIG_BLK_DEV_SR=m
 CONFIG_CHR_DEV_SG=m
@@ -3108,7 +3107,7 @@ CONFIG_SCSI_DEBUG=m
 CONFIG_SCSI_PMCRAID=m
 CONFIG_SCSI_PM8001=m
 CONFIG_SCSI_BFA_FC=m
-CONFIG_SCSI_VIRTIO=m
+CONFIG_SCSI_VIRTIO=y
 CONFIG_SCSI_CHELSIO_FCOE=m
 CONFIG_SCSI_LOWLEVEL_PCMCIA=y
 CONFIG_PCMCIA_AHA152X=m
@@ -3118,7 +3117,7 @@ CONFIG_PCMCIA_SYM53C500=m
 # CONFIG_SCSI_DH is not set
 # end of SCSI device support
 
-CONFIG_ATA=m
+CONFIG_ATA=y
 CONFIG_SATA_HOST=y
 CONFIG_PATA_TIMINGS=y
 CONFIG_ATA_VERBOSE_ERROR=y
@@ -3130,23 +3129,23 @@ CONFIG_SATA_PMP=y
 #
 # Controllers with non-SFF native interface
 #
-CONFIG_SATA_AHCI=m
+CONFIG_SATA_AHCI=y
 CONFIG_SATA_MOBILE_LPM_POLICY=3
-CONFIG_SATA_AHCI_PLATFORM=m
-CONFIG_AHCI_BRCM=m
-CONFIG_AHCI_DWC=m
+CONFIG_SATA_AHCI_PLATFORM=y
+CONFIG_AHCI_BRCM=y
+CONFIG_AHCI_DWC=y
 CONFIG_AHCI_IMX=m
-CONFIG_AHCI_CEVA=m
-CONFIG_AHCI_MTK=m
-CONFIG_AHCI_MVEBU=m
-CONFIG_AHCI_SUNXI=m
-CONFIG_AHCI_TEGRA=m
+CONFIG_AHCI_CEVA=y
+CONFIG_AHCI_MTK=y
+CONFIG_AHCI_MVEBU=y
+CONFIG_AHCI_SUNXI=y
+CONFIG_AHCI_TEGRA=y
 CONFIG_AHCI_XGENE=m
-CONFIG_AHCI_QORIQ=m
-CONFIG_SATA_AHCI_SEATTLE=m
+CONFIG_AHCI_QORIQ=y
+CONFIG_SATA_AHCI_SEATTLE=y
 CONFIG_SATA_INIC162X=m
-CONFIG_SATA_ACARD_AHCI=m
-CONFIG_SATA_SIL24=m
+CONFIG_SATA_ACARD_AHCI=y
+CONFIG_SATA_SIL24=y
 CONFIG_ATA_SFF=y
 
 #
@@ -3160,19 +3159,19 @@ CONFIG_ATA_BMDMA=y
 #
 # SATA SFF controllers with BMDMA
 #
-CONFIG_ATA_PIIX=m
-CONFIG_SATA_DWC=m
+CONFIG_ATA_PIIX=y
+CONFIG_SATA_DWC=y
 # CONFIG_SATA_DWC_OLD_DMA is not set
-CONFIG_SATA_MV=m
-CONFIG_SATA_NV=m
-CONFIG_SATA_PROMISE=m
-CONFIG_SATA_RCAR=m
-CONFIG_SATA_SIL=m
-CONFIG_SATA_SIS=m
-CONFIG_SATA_SVW=m
-CONFIG_SATA_ULI=m
-CONFIG_SATA_VIA=m
-CONFIG_SATA_VITESSE=m
+CONFIG_SATA_MV=y
+CONFIG_SATA_NV=y
+CONFIG_SATA_PROMISE=y
+CONFIG_SATA_RCAR=y
+CONFIG_SATA_SIL=y
+CONFIG_SATA_SIS=y
+CONFIG_SATA_SVW=y
+CONFIG_SATA_ULI=y
+CONFIG_SATA_VIA=y
+CONFIG_SATA_VITESSE=y
 
 #
 # PATA SFF controllers with BMDMA
@@ -3207,7 +3206,7 @@ CONFIG_PATA_RDC=m
 CONFIG_PATA_SCH=m
 CONFIG_PATA_SERVERWORKS=m
 CONFIG_PATA_SIL680=m
-CONFIG_PATA_SIS=m
+CONFIG_PATA_SIS=y
 CONFIG_PATA_TOSHIBA=m
 CONFIG_PATA_TRIFLEX=m
 CONFIG_PATA_VIA=m
@@ -3249,8 +3248,8 @@ CONFIG_PATA_PARPORT_ON26=m
 #
 # Generic fallback / legacy drivers
 #
-CONFIG_PATA_ACPI=m
-CONFIG_ATA_GENERIC=m
+CONFIG_PATA_ACPI=y
+CONFIG_ATA_GENERIC=y
 CONFIG_PATA_LEGACY=m
 CONFIG_MD=y
 CONFIG_BLK_DEV_MD=m
@@ -10436,11 +10435,11 @@ CONFIG_VMGENID=m
 CONFIG_NITRO_ENCLAVES=m
 CONFIG_ARM_PKVM_GUEST=y
 CONFIG_VIRTIO_ANCHOR=y
-CONFIG_VIRTIO=m
-CONFIG_VIRTIO_PCI_LIB=m
-CONFIG_VIRTIO_PCI_LIB_LEGACY=m
+CONFIG_VIRTIO=y
+CONFIG_VIRTIO_PCI_LIB=y
+CONFIG_VIRTIO_PCI_LIB_LEGACY=y
 CONFIG_VIRTIO_MENU=y
-CONFIG_VIRTIO_PCI=m
+CONFIG_VIRTIO_PCI=y
 CONFIG_VIRTIO_PCI_LEGACY=y
 CONFIG_VIRTIO_VDPA=m
 CONFIG_VIRTIO_PMEM=m

internal/rosa/kmod.go

@@ -39,6 +39,12 @@ func init() {
 		Description: "a set of tools to handle common tasks with Linux kernel modules",
 		Website:     "https://git.kernel.org/pub/scm/utils/kernel/kmod/kmod.git",
 
+		Dependencies: P{
+			Zlib,
+			Zstd,
+			OpenSSL,
+		},
+
 		ID: 1517,
 	}
 }

internal/rosa/libgd.go

@@ -31,6 +31,10 @@ func init() {
 		Description: "an open source code library for the dynamic creation of images",
 		Website:     "https://libgd.github.io/",
 
+		Dependencies: P{
+			Zlib,
+		},
+
 		ID: 880,
 	}
 }

internal/rosa/libxslt.go

@@ -23,7 +23,6 @@ func (t Toolchain) newLibxslt() (pkg.Artifact, string) {
 		SkipCheck: true,
 	},
 		XZ,
-		Zlib,
 		Python,
 		PkgConfig,
 
@@ -38,6 +37,10 @@ func init() {
 		Description: "an XSLT processor based on libxml2",
 		Website:     "https://gitlab.gnome.org/GNOME/libxslt/",
 
+		Dependencies: P{
+			Libxml2,
+		},
+
 		ID: 13301,
 	}
 }

internal/rosa/llvm.go

@@ -73,14 +73,8 @@ func llvmFlagName(flag int) string {
 	}
 }
 
-const (
-	llvmVersionMajor = "22"
-	llvmVersion      = llvmVersionMajor + ".1.0"
-)
-
 // newLLVMVariant returns a [pkg.Artifact] containing a LLVM variant.
 func (t Toolchain) newLLVMVariant(variant string, attr *llvmAttr) pkg.Artifact {
-	const checksum = "-_Tu5Lt8xkWoxm2VDVV7crh0WqZQbbblN3fYamMdPTDSy_54FAkD2ii7afSymPVV"
 
 	if attr == nil {
 		panic("LLVM attr must be non-nil")
@@ -169,7 +163,7 @@ ln -s ld.lld /work/system/bin/ld
 	return t.NewPackage("llvm", llvmVersion, pkg.NewHTTPGetTar(
 		nil, "https://github.com/llvm/llvm-project/archive/refs/tags/"+
 			"llvmorg-"+llvmVersion+".tar.gz",
-		mustDecode(checksum),
+		mustDecode(llvmChecksum),
 		pkg.TarGzip,
 	), &PackageAttr{
 		Patches:   attr.patches,
@@ -189,8 +183,6 @@ ln -s ld.lld /work/system/bin/ld
 		Append: cmakeAppend,
 		Script: script + attr.script,
 	},
-		Zlib,
-		Libffi,
 		Python,
 		Perl,
 		Diffutils,
@@ -318,7 +310,7 @@ ln -s clang++ /work/system/bin/c++
 ninja check-all
 `,
 
-		patches: [][2]string{
+		patches: slices.Concat([][2]string{
 			{"add-rosa-vendor", `diff --git a/llvm/include/llvm/TargetParser/Triple.h b/llvm/include/llvm/TargetParser/Triple.h
 index 9c83abeeb3b1..5acfe5836a23 100644
 --- a/llvm/include/llvm/TargetParser/Triple.h
@@ -490,7 +482,7 @@ index 64324a3f8b01..15ce70b68217 100644
                                     "/System/Library/Frameworks"};
  
 `},
-		},
+		}, clangPatches),
 	})
 
 	return

internal/rosa/llvm_amd64.go

@@ -0,0 +1,4 @@
+package rosa
+
+// clangPatches are patches applied to the LLVM source tree for building clang.
+var clangPatches [][2]string

internal/rosa/llvm_arm64.go

@@ -0,0 +1,12 @@
+package rosa
+
+// clangPatches are patches applied to the LLVM source tree for building clang.
+var clangPatches [][2]string
+
+// one version behind, latest fails 5 tests with 2 flaky on arm64
+const (
+	llvmVersionMajor = "21"
+	llvmVersion      = llvmVersionMajor + ".1.8"
+
+	llvmChecksum = "8SUpqDkcgwOPsqHVtmf9kXfFeVmjVxl4LMn-qSE1AI_Xoeju-9HaoPNGtidyxyka"
+)

internal/rosa/llvm_latest.go

@@ -0,0 +1,11 @@
+//go:build !arm64
+
+package rosa
+
+// latest version of LLVM, conditional to temporarily avoid broken new releases
+const (
+	llvmVersionMajor = "22"
+	llvmVersion      = llvmVersionMajor + ".1.1"
+
+	llvmChecksum = "bQvV6D8AZvQykg7-uQb_saTbVavnSo1ykNJ3g57F5iE-evU3HuOYtcRnVIXTK76e"
+)

internal/rosa/meson.go

@@ -38,6 +38,13 @@ func init() {
 		Description: "an open source build system",
 		Website:     "https://mesonbuild.com/",
 
+		Dependencies: P{
+			Python,
+			PkgConfig,
+			CMake,
+			Ninja,
+		},
+
 		ID: 6472,
 	}
 }
@@ -66,15 +73,7 @@ func (*MesonHelper) name(name, version string) string {
 
 // extra returns hardcoded meson runtime dependencies.
 func (*MesonHelper) extra(int) []PArtifact {
-	return []PArtifact{
-		Zlib,
-		Python,
-		Meson,
-		Ninja,
-
-		PkgConfig,
-		CMake,
-	}
+	return []PArtifact{Meson}
 }
 
 // wantsChmod returns false.

internal/rosa/musl-fts.go

@@ -19,9 +19,6 @@ func (t Toolchain) newMuslFts() (pkg.Artifact, string) {
 	}, &MakeHelper{
 		Generate: "./bootstrap.sh",
 	},
-		M4,
-		Perl,
-		Autoconf,
 		Automake,
 		Libtool,
 		PkgConfig,

internal/rosa/musl-obstack.go

@@ -19,9 +19,6 @@ func (t Toolchain) newMuslObstack() (pkg.Artifact, string) {
 	}, &MakeHelper{
 		Generate: "./bootstrap.sh",
 	},
-		M4,
-		Perl,
-		Autoconf,
 		Automake,
 		Libtool,
 		PkgConfig,

internal/rosa/nettle.go

@@ -26,6 +26,10 @@ func init() {
 		Description: "a low-level cryptographic library",
 		Website:     "https://www.lysator.liu.se/~nisse/nettle/",
 
+		Dependencies: P{
+			GMP,
+		},
+
 		ID: 2073,
 	}
 }

internal/rosa/nss.go

@@ -75,6 +75,10 @@ func init() {
 		Description: "Network Security Services",
 		Website:     "https://firefox-source-docs.mozilla.org/security/nss/index.html",
 
+		Dependencies: P{
+			Zlib,
+		},
+
 		ID: 2503,
 	}
 }
@@ -92,14 +96,12 @@ func init() {
 }
 
 func (t Toolchain) newNSSCACert() (pkg.Artifact, string) {
-	return t.New("nss-cacert", 0, []pkg.Artifact{
-		t.Load(Zlib),
-		t.Load(Bash),
-		t.Load(Python),
+	return t.New("nss-cacert", 0, t.AppendPresets(nil,
+		Bash,
 
-		t.Load(NSS),
-		t.Load(buildcatrust),
-	}, nil, nil, `
+		NSS,
+		buildcatrust,
+	), nil, nil, `
 mkdir -p /work/system/etc/ssl/{certs/unbundled,certs/hashed,trust-source}
 buildcatrust \
 	--certdata_input /system/nss/certdata.txt \

internal/rosa/perl.go

@@ -8,8 +8,8 @@ import (
 
 func (t Toolchain) newPerl() (pkg.Artifact, string) {
 	const (
-		version  = "5.42.0"
-		checksum = "2KR7Jbpk-ZVn1a30LQRwbgUvg2AXlPQZfzrqCr31qD5-yEsTwVQ_W76eZH-EdxM9"
+		version  = "5.42.1"
+		checksum = "FsJVq5CZFA7nZklfUl1eC6z2ECEu02XaB1pqfHSKtRLZWpnaBjlB55QOhjKpjkQ2"
 	)
 	return t.NewPackage("perl", version, pkg.NewHTTPGetTar(
 		nil, "https://www.cpan.org/src/5.0/perl-"+version+".tar.gz",
@@ -68,14 +68,14 @@ func (t Toolchain) newViaPerlModuleBuild(
 	name, version string,
 	source pkg.Artifact,
 	patches [][2]string,
-	extra ...pkg.Artifact,
+	extra ...PArtifact,
 ) pkg.Artifact {
 	if name == "" || version == "" {
 		panic("names must be non-empty")
 	}
-	return t.New("perl-"+name, 0, slices.Concat(extra, []pkg.Artifact{
-		t.Load(Perl),
-	}), nil, nil, `
+	return t.New("perl-"+name, 0, t.AppendPresets(nil,
+		slices.Concat(P{Perl}, extra)...,
+	), nil, nil, `
 cd /usr/src/`+name+`
 perl Build.PL --prefix=/system
 ./Build build
@@ -105,6 +105,10 @@ func init() {
 		Name:        "perl-Module::Build",
 		Description: "build and install Perl modules",
 		Website:     "https://metacpan.org/release/Module-Build",
+
+		Dependencies: P{
+			Perl,
+		},
 	}
 }
 
@@ -267,6 +271,10 @@ func init() {
 		Name:        "perl-Text::WrapI18N",
 		Description: "line wrapping module",
 		Website:     "https://metacpan.org/release/Text-WrapI18N",
+
+		Dependencies: P{
+			PerlTextCharWidth,
+		},
 	}
 }
 
@@ -313,6 +321,10 @@ func init() {
 		Name:        "perl-Unicode::GCString",
 		Description: "String as Sequence of UAX #29 Grapheme Clusters",
 		Website:     "https://metacpan.org/release/Unicode-LineBreak",
+
+		Dependencies: P{
+			PerlMIMECharset,
+		},
 	}
 }
 

internal/rosa/procps.go

@@ -18,9 +18,6 @@ func (t Toolchain) newProcps() (pkg.Artifact, string) {
 			{"without-ncurses"},
 		},
 	},
-		M4,
-		Perl,
-		Autoconf,
 		Automake,
 		Gettext,
 		Libtool,

internal/rosa/python.go

@@ -53,11 +53,11 @@ func (t Toolchain) newPython() (pkg.Artifact, string) {
 		Check: []string{"test"},
 	},
 		Zlib,
+		Bzip2,
 		Libffi,
+		OpenSSL,
 
 		PkgConfig,
-		OpenSSL,
-		Bzip2,
 		XZ,
 	), version
 }
@@ -69,6 +69,13 @@ func init() {
 		Description: "the Python programming language interpreter",
 		Website:     "https://www.python.org/",
 
+		Dependencies: P{
+			Zlib,
+			Bzip2,
+			Libffi,
+			OpenSSL,
+		},
+
 		ID: 13254,
 	}
 }
@@ -81,15 +88,9 @@ func newViaPip(
 	wname := name + "-" + version + "-" + interpreter + "-" + abi + "-" + platform + ".whl"
 	return Metadata{
 		f: func(t Toolchain) (pkg.Artifact, string) {
-			extraRes := make([]pkg.Artifact, len(extra))
-			for i, p := range extra {
-				extraRes[i] = t.Load(p)
-			}
-
-			return t.New(name+"-"+version, 0, slices.Concat([]pkg.Artifact{
-				t.Load(Zlib),
-				t.Load(Python),
-			}, extraRes), nil, nil, `
+			return t.New(name+"-"+version, 0, t.AppendPresets(nil,
+				slices.Concat(P{Python}, extra)...,
+			), nil, nil, `
 pip3 install \
 	--no-index \
 	--prefix=/system \
@@ -104,18 +105,19 @@ pip3 install \
 		Name:        "python-" + name,
 		Description: description,
 		Website:     "https://pypi.org/project/" + name + "/",
+
+		Dependencies: slices.Concat(P{Python}, extra),
 	}
 }
 
 func (t Toolchain) newSetuptools() (pkg.Artifact, string) {
 	const (
-		version  = "82.0.0"
-		checksum = "K9f8Yi7Gg95zjmQsE1LLw9UBb8NglI6EY6pQpdD6DM0Pmc_Td5w2qs1SMngTI6Jp"
+		version  = "82.0.1"
+		checksum = "nznP46Tj539yqswtOrIM4nQgwLA1h-ApKX7z7ghazROCpyF5swtQGwsZoI93wkhc"
 	)
-	return t.New("setuptools-"+version, 0, []pkg.Artifact{
-		t.Load(Zlib),
-		t.Load(Python),
-	}, nil, nil, `
+	return t.New("setuptools-"+version, 0, t.AppendPresets(nil,
+		Python,
+	), nil, nil, `
 pip3 install \
 	--no-index \
 	--prefix=/system \
@@ -132,10 +134,14 @@ func init() {
 	artifactsM[Setuptools] = Metadata{
 		f: Toolchain.newSetuptools,
 
-		Name:        "setuptools",
+		Name:        "python-setuptools",
 		Description: "the autotools of the Python ecosystem",
 		Website:     "https://pypi.org/project/setuptools/",
 
+		Dependencies: P{
+			Python,
+		},
+
 		ID: 4021,
 	}
 }
@@ -272,8 +278,6 @@ func init() {
 		"https://files.pythonhosted.org/packages/"+
 			"78/55/896b06bf93a49bec0f4ae2a6f1ed12bd05c8860744ac3a70eda041064e4d/",
 		PythonDistlib,
-		PythonFilelock,
-		PythonPlatformdirs,
 		PythonDiscovery,
 	)
 
@@ -288,10 +292,6 @@ func init() {
 		PythonIdentify,
 		PythonNodeenv,
 		PythonPyYAML,
-		PythonDistlib,
-		PythonFilelock,
-		PythonPlatformdirs,
-		PythonDiscovery,
 		PythonVirtualenv,
 	)
 }

internal/rosa/qemu.go

@@ -74,21 +74,16 @@ EOF
 		Bash,
 		Python,
 		Ninja,
-		Bzip2,
 		PkgConfig,
 		Diffutils,
 
 		OpenSSL,
-		Bzip2,
 		XZ,
 
 		Flex,
 		Bison,
 		M4,
 
-		PCRE2,
-		Libffi,
-		Zlib,
 		GLib,
 		Zstd,
 		DTC,
@@ -103,6 +98,11 @@ func init() {
 		Description: "a generic and open source machine emulator and virtualizer",
 		Website:     "https://www.qemu.org/",
 
+		Dependencies: P{
+			GLib,
+			Zstd,
+		},
+
 		ID: 13607,
 	}
 }

internal/rosa/rdfind.go

@@ -28,6 +28,10 @@ func init() {
 		Description: "a program that finds duplicate files",
 		Website:     "https://rdfind.pauldreik.se/",
 
+		Dependencies: P{
+			Nettle,
+		},
+
 		ID: 231641,
 	}
 }

internal/rosa/rosa.go

@@ -8,6 +8,7 @@ import (
 	"slices"
 	"strconv"
 	"strings"
+	"sync"
 
 	"hakurei.app/container/fhs"
 	"hakurei.app/internal/pkg"
@@ -19,6 +20,9 @@ const (
 
 	// kindBusyboxBin is the kind of [pkg.Artifact] of busyboxBin.
 	kindBusyboxBin
+
+	// kindCollection is the kind of [Collect]. It never cures successfully.
+	kindCollection
 )
 
 // mustDecode is like [pkg.MustDecode], but replaces the zero value and prints
@@ -454,6 +458,48 @@ type PackageAttr struct {
 	Flag int
 }
 
+// pa holds whether a [PArtifact] is present.
+type pa = [PresetEnd]bool
+
+// paPool holds addresses of pa.
+var paPool = sync.Pool{New: func() any { return new(pa) }}
+
+// paGet returns the address of a new pa.
+func paGet() *pa { return paPool.Get().(*pa) }
+
+// paPut returns a pa to paPool.
+func paPut(pv *pa) { *pv = pa{}; paPool.Put(pv) }
+
+// appendPreset recursively appends a [PArtifact] and its runtime dependencies.
+func (t Toolchain) appendPreset(
+	a []pkg.Artifact,
+	pv *pa, p PArtifact,
+) []pkg.Artifact {
+	if pv[p] {
+		return a
+	}
+	pv[p] = true
+
+	for _, d := range GetMetadata(p).Dependencies {
+		a = t.appendPreset(a, pv, d)
+	}
+	return append(a, t.Load(p))
+}
+
+// AppendPresets recursively appends multiple [PArtifact] and their runtime
+// dependencies.
+func (t Toolchain) AppendPresets(
+	a []pkg.Artifact,
+	presets ...PArtifact,
+) []pkg.Artifact {
+	pv := paGet()
+	for _, p := range presets {
+		a = t.appendPreset(a, pv, p)
+	}
+	paPut(pv)
+	return a
+}
+
 // NewPackage constructs a [pkg.Artifact] via a build system helper.
 func (t Toolchain) NewPackage(
 	name, version string,
@@ -486,12 +532,14 @@ func (t Toolchain) NewPackage(
 	extraRes := make([]pkg.Artifact, 0, dc)
 	extraRes = append(extraRes, attr.NonStage0...)
 	if !t.isStage0() {
+		pv := paGet()
 		for _, p := range helper.extra(attr.Flag) {
-			extraRes = append(extraRes, t.Load(p))
+			extraRes = t.appendPreset(extraRes, pv, p)
 		}
 		for _, p := range extra {
-			extraRes = append(extraRes, t.Load(p))
+			extraRes = t.appendPreset(extraRes, pv, p)
 		}
+		paPut(pv)
 	}
 
 	var scriptEarly string
@@ -543,3 +591,29 @@ cd '/usr/src/` + name + `/'
 		})...,
 	)
 }
+
+// Collected is returned by [Collect.Cure] to indicate a successful collection.
+type Collected struct{}
+
+// Error returns a constant string to satisfy error, but should never be seen
+// by the user.
+func (Collected) Error() string { return "artifacts successfully collected" }
+
+// Collect implements [pkg.FloodArtifact] to concurrently cure multiple
+// [pkg.Artifact]. It returns [Collected].
+type Collect []pkg.Artifact
+
+// Cure returns [Collected].
+func (*Collect) Cure(*pkg.FContext) error { return Collected{} }
+
+// Kind returns the hardcoded [pkg.Kind] value.
+func (*Collect) Kind() pkg.Kind { return kindCollection }
+
+// Params does not write anything, dependencies are already represented in the header.
+func (*Collect) Params(*pkg.IContext) {}
+
+// Dependencies returns [Collect] as is.
+func (c *Collect) Dependencies() []pkg.Artifact { return *c }
+
+// IsExclusive returns false: Cure is a noop.
+func (*Collect) IsExclusive() bool { return false }

internal/rosa/squashfs.go

@@ -48,6 +48,12 @@ func init() {
 		Description: "tools to create and extract Squashfs filesystems",
 		Website:     "https://github.com/plougher/squashfs-tools",
 
+		Dependencies: P{
+			Zstd,
+			Gzip,
+			Zlib,
+		},
+
 		ID: 4879,
 	}
 }

internal/rosa/tamago.go

@@ -8,13 +8,13 @@ import (
 
 func (t Toolchain) newTamaGo() (pkg.Artifact, string) {
 	const (
-		version  = "1.26.0"
-		checksum = "5XkfbpTpSdPJfwtTfUegfdu4LUy8nuZ7sCondiRIxTJI9eQONi8z_O_dq9yDkjw8"
+		version  = "1.26.1"
+		checksum = "fimZnklQcYWGsTQU8KepLn-yCYaTfNdMI9DCg6NJVQv-3gOJnUEO9mqRCMAHnEXZ"
 	)
-	return t.New("tamago-go"+version, 0, []pkg.Artifact{
-		t.Load(Bash),
-		t.Load(Go),
-	}, nil, []string{
+	return t.New("tamago-go"+version, 0, t.AppendPresets(nil,
+		Bash,
+		Go,
+	), nil, []string{
 		"CC=cc",
 		"GOCACHE=/tmp/gocache",
 	}, `

internal/rosa/unzip.go

@@ -11,10 +11,10 @@ func (t Toolchain) newUnzip() (pkg.Artifact, string) {
 		version  = "6.0"
 		checksum = "fcqjB1IOVRNJ16K5gTGEDt3zCJDVBc7EDSra9w3H93stqkNwH1vaPQs_QGOpQZu1"
 	)
-	return t.New("unzip-"+version, 0, []pkg.Artifact{
-		t.Load(Make),
-		t.Load(Coreutils),
-	}, nil, nil, `
+	return t.New("unzip-"+version, 0, t.AppendPresets(nil,
+		Make,
+		Coreutils,
+	), nil, nil, `
 cd /usr/src/unzip/
 unix/configure
 make -f unix/Makefile generic1

internal/rosa/wayland.go

@@ -42,6 +42,12 @@ func init() {
 		Description: "core Wayland window system code and protocol",
 		Website:     "https://wayland.freedesktop.org/",
 
+		Dependencies: P{
+			Libffi,
+			Libexpat,
+			Libxml2,
+		},
+
 		ID: 10061,
 	}
 }
@@ -112,9 +118,6 @@ GitLab
 		},
 	}, (*MesonHelper)(nil),
 		Wayland,
-		Libffi,
-		Libexpat,
-		Libxml2,
 	), version
 }
 func init() {

internal/rosa/x.go

@@ -40,9 +40,6 @@ func (t Toolchain) newXproto() (pkg.Artifact, string) {
 		// ancient configure script
 		Generate: "autoreconf -if",
 	},
-		M4,
-		Perl,
-		Autoconf,
 		Automake,
 		PkgConfig,
 
@@ -75,9 +72,6 @@ func (t Toolchain) newLibXau() (pkg.Artifact, string) {
 		// ancient configure script
 		Generate: "autoreconf -if",
 	},
-		M4,
-		Perl,
-		Autoconf,
 		Automake,
 		Libtool,
 		PkgConfig,
@@ -94,6 +88,10 @@ func init() {
 		Description: "functions for handling Xauthority files and entries",
 		Website:     "https://gitlab.freedesktop.org/xorg/lib/libxau",
 
+		Dependencies: P{
+			Xproto,
+		},
+
 		ID: 1765,
 	}
 }

internal/rosa/xcb.go

@@ -41,7 +41,6 @@ func (t Toolchain) newXCB() (pkg.Artifact, string) {
 		PkgConfig,
 
 		XCBProto,
-		Xproto,
 		LibXau,
 	), version
 }
@@ -53,6 +52,11 @@ func init() {
 		Description: "The X protocol C-language Binding",
 		Website:     "https://xcb.freedesktop.org/",
 
+		Dependencies: P{
+			XCBProto,
+			LibXau,
+		},
+
 		ID: 1767,
 	}
 }

nixos.nix

@@ -140,6 +140,7 @@ in
                     inherit (dbusConfig) session_bus system_bus;
                     direct_wayland = app.insecureWayland;
                     sched_policy = app.schedPolicy;
+                    sched_priority = app.schedPriority;
 
                     container = {
                       inherit (app)

options.nix

@@ -253,6 +253,13 @@ in
                   The zero value retains the current scheduling policy.
                 '';
               };
+              schedPriority = mkOption {
+                type = nullOr (ints.between 1 99);
+                default = null;
+                description = ''
+                  Scheduling priority to set for the container.
+                '';
+              };
 
               nix = mkEnableOption "nix daemon access";
               mapRealUid = mkEnableOption "mapping to priv-user uid";

package.nix

@@ -30,7 +30,7 @@
 
 buildGo126Module rec {
   pname = "hakurei";
-  version = "0.3.6";
+  version = "0.3.7";
 
   srcFiltered = builtins.path {
     name = "${pname}-src";

test/test.py

@@ -210,10 +210,10 @@ print(machine.succeed('grep "shim: got SIGCONT from unexpected process$" /tmp/sh
 sched_unset = int(machine.succeed("sudo -u alice -i hakurei -v run cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
 if sched_unset != 0:
     raise Exception(f"unexpected unset policy: {sched_unset}")
-sched_idle = int(machine.succeed("sudo -u alice -i hakurei -v run --sched=idle cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
+sched_idle = int(machine.succeed("sudo -u alice -i hakurei -v run --policy=idle cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
 if sched_idle != 5:
     raise Exception(f"unexpected idle policy: {sched_idle}")
-sched_rr = int(machine.succeed("sudo -u alice -i hakurei -v run --sched=rr cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
+sched_rr = int(machine.succeed("sudo -u alice -i hakurei -v run --policy=rr cat /proc/self/sched | grep '^policy' | tr -d ' ' | cut -d ':' -f 2"))
 if sched_rr != 2:
     raise Exception(f"unexpected round-robin policy: {sched_idle}")