krypt/sh is a minimal, auditable base. You build on top of it. Nothing is imposed.
~50 battle-tested packages. coreutils, util-linux, musl, runit, etc — each tracked for CVEs and updated fast.
Daemons run without root wherever possible. wpa_supplicant via ambient capabilities. QEMU and Podman fully rootless via passt.
Window managers, not desktop environments. No elogind, PAM, or polkit. KDE and GNOME are out of scope by design. X11 available via community ports.
Written in C. Topological dependency resolution, install-reason tracking, autoremove for orphans, virtual packages via provides=(). No C++, no libarchive abstractions.
Every package built from source via MAKEPKG — a krypt/sh native build file parsed by mkpkg. Landlock LSM lockbox enforces declared dependencies — unprivileged, kernel-enforced. Undeclared deps are a hard error.
Every binary on the system links dynamically against musl. No static blobs, no glibc locale complexity, no NSS. Predictable, auditable, unpatched upstream.
One project from compiler to linker — clang, lld, libc++, libunwind, compiler-rt. No GCC anywhere in the chain, not even as a fallback. Built for x86-64-v3. lld links in parallel — noticeably faster on large ports like Firefox.
OpenBSD's hardened fork of OpenSSL. Stripped of legacy cruft, audited codebase. Not OpenSSL. Not BoringSSL. Not ca-certificates. The entire system TLS stack runs on LibreSSL.
When containers are not enough. Xen dom0 with full domU isolation — each VM in its own hardware-enforced trust boundary. QEMU and Podman for lighter workloads.