Config [[files]] entries for init services used /usr/lib/init.d/ paths,
which get silently overwritten by package staging (Layer 2 over Layer 1).
Per AGENTS.md, config overrides MUST use /etc/init.d/ so the init system's
config_for_dirs() gives them priority over package defaults.
Fixes mini image debug console failure (getty: failed to open TTY
/scheme/fbcon/3: No such file or directory) caused by base package's
31_debug_console.service overwriting minimal.toml's debug scheme override.
The Wayland compositor was commented out, causing the greeter to fail
when trying to launch the UI. With the compositor enabled, the full
greeter flow now works: compositor starts, creates Wayland socket,
greeter UI launches on VT 3, and Qt6 client connects successfully.
MouseTx::handle() treated 0xFE (PS/2 RESEND) as an unknown response,
causing mouse init to fail on hardware where the mouse requests a
resend during the reset/command exchange. Now resends the current
command byte when the mouse returns 0xFE, matching the PS/2 protocol.
Bootloader hardcoded RedoxFS partition offset at 2 MiB, which fails when
efi_partition_size > 1 (redbear-full, redbear-grub use 16 MiB, placing
RedoxFS at LBA 34816 = 17 MiB). Added GPT partition table parser that
scans for Linux filesystem GUID (0FC63DAF) to find the actual offset.
Also removed invalid 'respawn = true' from 31_debug_console.service in
redbear-full.toml — init's service format does not support this field.
Verified: all three ISOs boot in QEMU UEFI and reach login prompt.
Add redbear-usb-storage-check in-guest binary that validates USB mass
storage read and write I/O: discovers /scheme/disk/ devices, writes a
test pattern to sector 2048, reads it back, verifies match, restores
original content. Updates test-usb-storage-qemu.sh with write-proof
verification step.
Includes all accumulated Red Bear OS work: kernel patches, relibc
patches, driver infrastructure, DRM/GPU, KDE recipes, firmware,
validation tooling, build system hardening, and documentation.
5-phase hardening to prevent silent file-layer collisions (the D-Bus
regression class):
Phase 1: lint-config-paths.sh + make lint-config in depends.mk
Phase 2: CollisionTracker in installer (content-hash comparison)
Phase 3: installs manifests in recipe.toml + validate-file-ownership.sh
Phase 4: validate-init-services.sh + make validate in disk.mk
Phase 5: documentation (AGENTS.md, BUILD-SYSTEM-HARDENING-PLAN.md)
Both redbear-mini and redbear-full build and validate clean.
66 declared install paths in base, zero conflicts.
The init system parser (serde deny_unknown_fields) rejects [service]
sections in .target files. The P4-initfs-dbus-services patch was
creating 05_boot_essential.target and 12_boot_late.target with a
no-op [service] section (cmd=/usr/bin/true). Removed those sections
so targets only contain [unit].
This eliminates "unknown field service, expected unit" init warnings
that could prevent proper service dependency resolution.
The [users.root] override in redbear-full.toml only set shell, which
replaced (not merged) the base.toml entry that had uid=0 gid=0
password="password". Without explicit uid/gid, the installer assigned
root UID 1000, causing D-Bus to fail looking up user "root" and
"messagebus" — all D-Bus clients (sessiond, polkit, udisks, upower)
timed out and exited.
Verified: D-Bus daemon starts, polkit registers PolicyKit1, sessiond
registers login1, zero timeouts or retries in QEMU boot.
P1 (ACPI/PCI/xHCI, 11 patches) and P5 (init hardening, 2 patches)
exist in local/patches/base/ but cannot be wired due to conflicts
from redox.patch removal. Documented with # TODO rebase notes
per PATCH-GOVERNANCE.md rules.
Oracle review found 3 gaps. All fixed:
1. Recipe #TODO updated from 'Always-permit stub' to 'Real UID-based policy'
2. init.d/20_polkit.service created
3. redbear-full.toml already has 14_redbear-polkit via [[files]] — verified
P5: redbear-polkit now enforces real authorization:
- is_authorized(uid, action_id) checks UID-based policy
- uid=0 (root) always authorized
- Other users checked against /etc/polkit-1/policy.toml
- Default: deny for unknown actions (fail-closed)
- Backend name changed from 'redbear-permit-all' to 'redbear-uid-policy'
- Default policy grants power/network/storage to root+user(1000)
P3-3: fbcond scrollback is now fully functional:
- text.rs: 1000-line ring buffer captures all console output
- scheme.rs: new Scrollback handle type, path/N/scrollback open
- main.rs: Scrollback match arm in event loop
- Users can read scrollback via:
cat /scheme/fbcon/2/scrollback
19/19 patches. base + base-initfs build.
Fixed common dependency path (../../common → ../common).
Added workspace member entry for drivers/thermald.
thermald now builds as part of base recipe.
19/19 patches. base + base-initfs build.
P3-3: fbcond scrollback — captures last 1000 lines of text output
in ring buffer, exposes via read_scrollback(). Patch created but
needs line number adjustment for clean application.
P3-5: thermal daemon source created at drivers/thermald/. Reads
ACPI thermal zone temperature, logs warnings >65°C, errors >80°C.
Needs Cargo.toml workspace integration and recipe.toml BINS entry.
Part of COMPREHENSIVE-FIX-PLAN-FINAL P3 implementation.
Changed <policy user="root"> to <policy user="0"> in D-Bus
system.conf.in to avoid getpwnam lookup failures on Redox.
Patch written but does not apply yet — tar source extraction
puts files under dbus-1.16.2/ which requires strip=2 or different
path prefix. Left as documented work-in-progress.
D-Bus daemon runs despite cosmetic user lookup warnings.
D-Bus daemon, sessiond, and seatd all running on redbear-full.
User lookup warnings are pre-existing Redox D-Bus config issue
(does not affect functionality).
Bootloader: alloc_zeroed_page_aligned no longer panics on OVMF
AllocatePages failure. Returns null on error.
Cookbook: pkgar falls back to repo/ dir when target pkgar missing.
Resolves KDE build chain failure.
redbear-full: builds 4.0GB image+ISO, boots without crash.
getty converts numeric args to /scheme/fbcon/{N} paths.
Non-numeric args (like ttyS0) are treated as literal paths
which don't exist in Redox. Changed to:
- 29_activate_console: inputd -A 2
- 30_console: getty 2 → /scheme/fbcon/2 (VT2 login)
- 31_debug_console: getty 3 → /scheme/fbcon/3 (VT3 debug)
Serial console (ttyS0) has no standard scheme path in Redox.
Login prompt is on the framebuffer console (requires graphical QEMU
or VNC to view).
Boot process now includes:
- 25_serial_getty.service: getty on serial console (visible in QEMU -nographic)
- 29_activate_console.service: inputd -A 2 (activate VT2)
- 30_console.service: getty on VT2 (framebuffer console)
Fixed hunk counts (7→8, 8→9) for correct patch application.
Services use 'oneshot_async' type for fire-and-forget startup.
ZSH is the default shell for all user accounts (base.toml, mini, full, greeter).
Shell: Changed default shell from ion to zsh for all user accounts
in base.toml, redbear-mini.toml, redbear-full.toml, and greeter config.
zsh 5.9 is already ported and builds (ZSH-PORTING-PLAN — fully implemented).
ion is kept as fallback/alternative.
Cookbook: pkgar staging fallback — when a dependency's target pkgar
doesn't exist, fall back to repo/<target>/<pkg>.pkgar. This fixes the
kf6-kitemviews build failure where libwayland's pkgar was missing from
the target directory.
Consolidated from all audits, QEMU testing, and implementation sessions.
P0: KDE build chain broken — libwayland pkgar staging race in cookbook.
Fix requires investigation of src/cook/package.rs pkgar path lookup.
P1: Graphical boot testing — dbus-daemon, sessiond, compositor, greeter.
P2: 7 remaining gaps — ion shell, shadow support, polkit, scrollback.
Includes cookbook tool investigation areas and total effort estimate
(~12 days per developer).
libwayland stage.pkgar missing when kf6-kitemviews builds during
make live CONFIG_NAME=redbear-full. This is a cookbook pkgar
staging race condition, not a code error.
redbear-mini (text-only) boots fully in QEMU with colored init
output, 25+ services, and login prompt on framebuffer console.
At initfs time, /var/log/ doesn't exist (rootfs not yet mounted).
Changed persistent_log from File to Option<File> with .ok() instead
of .unwrap_or_else(|| panic!()). If the file can't be opened, logging
continues without persistence — no crash.
QEMU verification: system boots through initfs→rootfs→switch_root→userland.
Colored init output visible. 25+ services start successfully.
P2-2: Login rate limiting (userutils/login.rs):
- Tracks consecutive failures, resets on success
- 3+ failures: exponential delay up to 30 seconds
- Applies to both password and blank-password login paths
P2-3: Network stack in initfs (base-initfs + service files):
- Added e1000d, rtl8168d to base-initfs BINS
- 60_smolnetd.service: network stack in initfs
- 61_dhcpd.service: DHCP client in initfs
- Network available before switch_root
Part of COMPREHENSIVE-FIX-AND-IMPROVEMENT-PLAN Phases P2.
Phase B1+B2 from BOOT-PROCESS-AUDIT:
- 45_usbscsid.service: USB mass storage driver in initfs (requires xhcid)
- 30_redox-drm.service: DRM/KMS display driver in initfs (requires hwd+pcid-spawner)
Both condition-architecture-gated to x86/x86_64.
Phase A1 from BOOT-PROCESS-AUDIT. The ACPI shutdown path now:
- Validates PM1a port is non-zero before writing
- Waits 3 seconds for power-off, then retries with PM1b+SLEEP_EN
- Falls back to keyboard controller reset (0x64=0xFE) on failure
- Handles SLP_TYPb correctly
- Removes fragile Pio::new()+write() without validation
logd now writes all log output to /var/log/system.log (5MB auto-rotation)
in addition to existing scheme listeners. Falls back to /tmp/logd-fallback.log
if /var/log is unavailable. Logs survive reboots for post-mortem analysis.
Part of Phase A2 (Boot Reliability) from BOOT-PROCESS-AUDIT-2026-05-03.
The 556MB monolithic redox.patch was impossible to manage, unreviewable,
blocked GitHub pushes, and could only grow. This commit:
- Moves all 64 absorbed patches from absorbed/ to active use in base/
- Removes the absorbed/ directory (consolidation history is now PATCH-HISTORY.md)
- Removes the redox.patch symlink from recipes/core/base/
- Fixes all recipe symlinks to point to active patches (not absorbed/)
- Patches are now individually wired, reviewable, and independently rebasable
The redox.patch mega-file is no longer needed — individual patches
are applied directly from the recipe.toml patches list.
redox.patch is 556MB, exceeding GitHub's 100MB file size limit.
Split into 7 chunks of ~90MB each under local/patches/base/redox-patch-chunks/.
Reassembly script: local/patches/base/reassemble-redox-patch.sh.
Added redox.patch to .gitignore to prevent future push failures.
Build system (src/cook/fetch.rs):
- Atomic patch application: applies patches to staging directory (cp -al),
atomically swaps on success, discards on failure — source tree is never
left in a partially-patched state
- normalize_patch(): strips diff --git/index/new-file-mode headers that the
build system's patch command does not recognize
- cleanup_workspace_pollution(): removes orphaned recipes/Cargo.toml and
recipes/Cargo.lock to prevent workspace conflicts
- Added --allow-protected CLI flag to repo binary
Input stack (local/patches/base/P3-*.patch):
- P3-ps2d-led-feedback: PS/2 LED state handling + InputProducer migration
- P3-inputd-keymap-bridge: InputProducer enum, keymap bridge query
- P3-usbhidd-hardening: HID descriptor validation, static lookup table,
8-button mouse support, transfer retry with exponential backoff
- P3-init-colored-output: ANSI-color coded init daemon output (green OK,
red FAILED, yellow SKIP/WARN)
XKB bridge (local/recipes/system/redbear-keymapd/source/src/xkb.rs):
- Parses X11 xkb/symbols/* format, maps XKB keycodes to PS/2 scancodes,
80+ X11 keysym names to Unicode, 4-level key support
Patch governance (local/patches/base/absorbed/README.md):
- Documents consolidation of P0-P3 patches into redox.patch
vasilito