Bedrock Linux is a meta Linux distribution which allows users to mix-and-match components from other, typically incompatible distributions. Bedrock integrates these components into one largely cohesive system.

For example, one could have:

• Debian

  's stable coreutils

• Arch

  's cutting edge kernel

• Void

  's runit init system
• A pdf reader with custom patches automatically maintained by

  Gentoo

  's portage
• A font from

  Arch

  's AUR
• Games running against

  Ubuntu

  's libraries
• Business software running against

  CentOS

  's libraries

All at the same time and working together mostly as though they were packaged for the same distribution.

Bedrock Linux 0.7.31 released

2026-01-12

• Added brl-fetch opensuse
• Added brl-import first-class support for docker/podman containers
• Added brl-import support for multi-partition VM images
• Added pmm support for cargo
• Deprecate big-endian 32-bit mips
• Deprecate brl-fetch clear
• Fixed pmm handling of $PATH without Bedrock entries
• Improved etcfs robustness
• Many brl-fetch fixes

Bedrock Linux 0.7.30 released

2024-04-22

• Fixed brl-fetch Void
• Fixed etcfs listxattr read-only requests
• Fixed etcfs statfs on non-directories
• Fixed handling of missing/erroring /etc/profiles

Security alert (xz, CVE-2024-3094)

2024-03-29

A common compression project, xz, appears to have recent releases 5.6.0 and 5.6.1 compromised, tracked as CVE-2024-3094. No stable Bedrock Linux release uses such a new xz build, and we are confident stable channel users remain unaffected.

0.7.30beta1 did build against xz 5.6.1. However:

• The exploit build code is only included in the xz source tarball releases.^[0] Bedrock Linux builds xz from git. We checked for and were unable to find any code path which builds/includes the exploit. We do not believe the exploit was ever built or included in 0.7.30beta1 despite the xz version.

• The exploit appears to depend on glibc's ifunc functionality.^[0] Bedrock Linux builds against musl-libc, which does not offer this functionality, and thus the exploit, were it included, is unlikely to work.

• The exploit appears to explicitly check for known argv[0] such as /usr/sbin/sshd.^[0] While not impossible it, this has yet to be reported to check for the only Bedrock Linux component which is built against xz, kmod.

[0] https://www.openwall.com/lists/oss-security/2024/03/29/4

While we do not believe 0.7.30beta1 users are vulnerable, as a precaution we have pulled the release and push 0.7.30beta2 built against the older xz 5.4.6 and encourage beta channel users to update to it immediately.