void logo void logo

The Void (Linux) distribution

Void is a general purpose operating system, based on the monolithic Linux kernel. Its package system allows you to quickly install, update and remove software; software is provided in binary packages or can be built directly from sources with the help of the XBPS source packages collection.

It is available for a variety of platforms. Software packages can be built natively or cross compiled through the XBPS source packages collection.

Follow us on Twitter, visit the #voidlinux IRC channel on irc.freenode.net, and join the Void Linux subreddit.

Visit the Void build server console for package build status updates.

Contribute to the Void Linux project by adding and updating packages and extending the documentation. More information can be found in the Handbook.


Not a fork!

Void Linux is an independent distribution, developed entirely by volunteers.

Unlike trillions of other existing distros, Void is not a modification of an existing distribution. Void's package manager and build system have been written from scratch.

Stable rolling release

Void focuses on stability, rather than on being bleeding-edge. Install once, update routinely and safely.

Thanks to our continuous build system, new software is built into binary packages as soon as the changes are pushed to the void-packages repository.

runit

We use runit as the init system and service supervisor.

runit is a simple and effective approach to initialize the system with reliable service supervision. Refer to the Void Handbook for an introduction.

C library diversity

Void Linux supports both the musl and GNU libc implementations, patching incompatible software when necessary and working with upstream developers to improve the correctness and portability of their projects.

XBPS

xbps is the native system package manager, written from scratch with a 2-clause BSD license.

XBPS allows you to quickly install/update/remove software in your system and features detection of incompatible shared libraries and dependencies while updating or removing packages (among others). Refer to the Handbook for an overview.

xbps-src

xbps-src is the xbps package builder, written from scratch with a 2-clause BSD license.

This builds the software in containers through the use of Linux namespaces, providing isolation of processes and bind mounts (among others). No root required!

Additionally, xbps-src can build natively or cross compile for the target machine, and supports multiple C libraries (glibc and musl currently).


void-packages changes

xbps changes


March 05, 2021

Friday in the Void: OpenSSL and Kernel Hardening

The previously announced OpenSSL switch is now underway. Because OpenSSL is a dependency of a large number of packages, the full rebuild process is expected to take several days. Syncing between the builders and public repositories has been suspended to ensure that the package tree remains consistent. Consequently, no new package updates will appear until the switch is complete.

Once updates appear, we recommend that you perform a complete system update to simplify the transition. Partial updates are possible, but you will need to manually trace all OpenSSL dependants installed on your system and update them atomically.


Since 2016, the default bootloader configuration in Void Linux has set the Linux kernel command-line options slub_debug=P and page_poison=1 to provide some level of kernel hardening. Kernel series 5.3 and later offer alternative measures init_on_alloc and init_on_free (see this kernel commit).

Void’s kernels come with the init_on_alloc option enabled by default where available (i.e., linux5.4>=5.4.102, linux5.10>=5.10.20 and linux5.11>=5.11.3). In most cases, you should not disable this option, as it has a fairly minimal impact on performance (within 1%). The init_on_free option is more expensive (around 5% on average) and needs to be enabled by hand by passing init_on_free=1 on the kernel command line. Similarly, init_on_alloc can be disabled if needed by passing init_on_alloc=0.

As a consequence of these changes, Void’s default kernel command-line now omits the slub_debug and page_poison options. There is a chance that your existing system still has the old options enabled. They still work in newer kernels, but have a performance impact more in line with init_on_free=1. On older hardware this can be quite noticeable. If you are running a kernel series older than 5.4, you can keep them (or add them) for extra security at the cost of performance; otherwise, you should remove them.


As always, if you experience any issues, feel free to reach out to us! You can open an issue on GitHub or seek help in the #voidlinux channel on https://freenode.net.

February 23, 2021

Switching back to OpenSSL

The Void Linux team is switching back to OpenSSL on March 5th, 2021 (2021-03-05).

For most users, there should be no noticeable change. If you have any packages installed that are no longer provided by Void, or your system has explicit dependencies on LibreSSL, you will of course need to take action to ensure your system continues to function after the switch.

If you experience any issues, feel free to reach out to us! You can open an issue on GitHub or ping us in the #voidlinux channel on https://freenode.net.


A discussion about switching to OpenSSL began in a Request For Comments (RFC) posted on April 12th, 2020, at void-linux/void-packages#20935. Since then, a majority of Void maintainers have expressed support for the move. The main reasons for the switch are as listed in the RFC:

  • Because most software targets OpenSSL, Void will no longer have to maintain (in some cases, very complex) patches to support LibreSSL. The complexity of the OpenSSL API makes such patching burdensome and risky, with mistakes potentially causing runtime errors or security issues - we have avoided those, as far as we know, but this has required a lot of effort.
  • Extensive support for platform specific optimizations outside of x86.
  • Access to new standards and algorithms earlier, such as full TLS 1.3 support.

As a result of the above, the switch to OpenSSL is expected to lessen the time and effort spent on packages that require an OpenSSL-like library. This is especially notable because most other distributions which used LibreSSL have dropped it, so there aren’t as many people amongst whom to distribute the effort.

  • Alpine, which switched to LibreSSL temporarily, switched back to OpenSSL in January 2019, with the 3.9.0 release.
  • More recently, Gentoo, which used to offer LibreSSL as an option, has discontinued that support as well.

For further context, LWN covered the subject of LibreSSL on Linux at the beginning of this year. The article also covers the attention and improvements that the OpenSSL project has received post-Heartbleed, which was one of the main reasons for Void’s initial switch to LibreSSL.

For an example of extra work caused by packages that expect OpenSSL, Void’s version of Qt5 is heavily patched in order to properly support LibreSSL. Furthermore, the just released Qt6 would also need significant effort to be patched and maintained to use LibreSSL, without the possibility of such effort being upstreamed.

At the same time, other software can have limited functionality or hit edge cases when using LibreSSL, due to not being thoroughly tested with it. One example is Python, which is limited in the ciphers available to running programs, since it depends on what the SSL library provides - they are even considering dropping any support for LibreSSL in the future. Another example is OpenVPN, which we have received bug reports for connection issues with LibreSSL (void-linux/void-packages#23413). This required us to switch the package to use Mbed TLS by default, resulting in some limitations to the resulting package. With the switch to OpenSSL, the OpenVPN package will now be provided in the most widely deployed and tested configuration, so similar compatibility hiccups are unlikely to reappear.

Unfortunately, this move has required us to drop some packages that rely on the OpenSSL 1.0.1 API; while LibreSSL maintains compatibility with this legacy API, modern OpenSSL has abandoned it.

One great feature of LibreSSL not offered by OpenSSL is the libtls library, which aims to be a hard to misuse interface for communicating over the web safely, with sane defaults. Some of the packages we ship depend on it, so work has been done to package a standalone version of it in void-linux/void-packages#28732.

The Void Linux team is grateful for the work of the OpenBSD community on libressl-portable, we have greatly benefited from their work. Void continues to package other excellent OpenBSD software, including OpenSSH and signify, which is our tool of choice for signing live images.

In conclusion, we expect our switch to OpenSSL to ease maintenance overhead, provide the same reliable experience to users, and improve functionality in select packages. Look forward to the update landing some time after March 5th!