1  = Cerro Torre
  2  
  3  image:https://img.shields.io/badge/license-AGPL--3.0-blue.svg[AGPL-3.0,link="https://www.gnu.org/licenses/agpl-3.0"] image:https://img.shields.io/badge/philosophy-Palimpsest-purple.svg[Palimpsest,link="https://github.com/hyperpolymath/palimpsest-licence"]
  4  
  5  *Provenance-verified containers from democratically-governed sources.*
  6  
  7  Cerro Torre is a supply-chain-verified Linux distribution for containers and immutable systems. It combines formally verified tooling, radical transparency, and cooperative governance — built primarily on Debian's democratically-governed package ecosystem.
  8  
  9  The name references Patagonia's most technically demanding peak. Cerro Torre stands for doing things properly: fair means, complete transparency, no shortcuts.
 10  
 11  == Why Cerro Torre?
 12  
 13  The container base image landscape offers:
 14  
 15  - *Alpine*: Minimal and excellent, but limited supply chain transparency
 16  - *Wolfi*: Strong security focus, but governed by a VC-backed company
 17  
 18  Cerro Torre offers a third path:
 19  
 20  | Principle | What It Means |
 21  |-----------|---------------|
 22  | *Formally Verified* | Core tooling written in Ada/SPARK with machine-checked proofs |
 23  | *Democratically Governed* | Multi-stakeholder cooperative, no corporate parent |
 24  | *Radically Transparent* | Complete cryptographic provenance for every package |
 25  | *Format Agnostic* | Import from Debian, Fedora, Alpine — not locked to any upstream |
 26  | *Ethically Committed* | The Palimpsest Covenant articulates our values |
 27  
 28  == Architecture
 29  
 30  ```
 31  ┌─────────────────────────────────────────────────────────────────┐
 32  │                         IMPORTERS                                │
 33  │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐            │
 34  │  │ Debian  │  │ Fedora  │  │ Alpine  │  │  Nix    │   ...      │
 35  │  │  .dsc   │  │  SRPM   │  │APKBUILD │  │  .drv   │            │
 36  │  └────┬────┘  └────┬────┘  └────┬────┘  └────┬────┘            │
 37  │       │            │            │            │                  │
 38  │       └────────────┴─────┬──────┴────────────┘                  │
 39  │                          ▼                                      │
 40  │  ┌───────────────────────────────────────────────────────────┐  │
 41  │  │              CERRO TORRE MANIFEST (.ctp)                  │  │
 42  │  │         Declarative · Turing-Incomplete · Verifiable      │  │
 43  │  └─────────────────────────┬─────────────────────────────────┘  │
 44  │                            ▼                                    │
 45  │  ┌───────────────────────────────────────────────────────────┐  │
 46  │  │              SPARK-VERIFIED BUILD CORE                    │  │
 47  │  │  Cryptographic Ops · Manifest Parsing · Provenance Chain  │  │
 48  │  └─────────────────────────┬─────────────────────────────────┘  │
 49  │                            ▼                                    │
 50  │  ┌───────────────────────────────────────────────────────────┐  │
 51  │  │                    ATTESTATIONS                           │  │
 52  │  │  in-toto · SBOM · Federated Transparency Logs            │  │
 53  │  └─────────────────────────┬─────────────────────────────────┘  │
 54  │                            ▼                                    │
 55  │                        EXPORTERS                                │
 56  │  ┌─────────┐  ┌─────────┐  ┌─────────┐  ┌─────────┐            │
 57  │  │   OCI   │  │ OSTree  │  │  .deb   │  │  .rpm   │            │
 58  │  │ Images  │  │ Commits │  │ Compat  │  │ Compat  │            │
 59  │  └─────────┘  └─────────┘  └─────────┘  └─────────┘            │
 60  └─────────────────────────────────────────────────────────────────┘
 61  ```
 62  
 63  === The Manifest Format
 64  
 65  Cerro Torre packages are defined in `.ctp` manifest files — a declarative, Turing-incomplete format designed for formal verification. Package definitions cannot contain arbitrary computation, making them analysable and provable.
 66  
 67  See [spec/manifest-format.md](spec/manifest-format.md) for the full specification.
 68  
 69  === Import Sources
 70  
 71  *Primary: Debian* — Chosen for governance alignment. Debian is genuinely community-governed with constitutional documents, elected leadership, and no corporate owner. Building on democratic foundations matters for a democratically-governed project.
 72  
 73  *Secondary: Fedora* — For packages where Fedora's version is better maintained, and for SELinux reference policies.
 74  
 75  *Extensible*: The importer architecture allows community contribution of additional sources (Alpine, Nix, Arch, etc.).
 76  
 77  === Security
 78  
 79  - *SELinux Enforcing*: First-class SELinux support with auto-generated per-container policies
 80  - *Threshold Signing*: k-of-n keyholders required for releases; no single point of trust
 81  - *Federated Transparency*: Multiple independent log operators; threshold agreement required
 82  - *Reproducible Builds*: Any party can rebuild and verify packages
 83  
 84  == Licensing
 85  
 86  Cerro Torre tooling is dual-licensed under your choice of:
 87  
 88  - *MIT License* — Maximum permissiveness
 89  - *AGPL-3.0-or-later* — Copyleft with network provisions
 90  
 91  The *Palimpsest Covenant* travels alongside as a values commitment (not a legal requirement). Community members are encouraged to adopt it.
 92  
 93  Packages retain their upstream licenses.
 94  
 95  == Governance
 96  
 97  Cerro Torre is owned by a multi-stakeholder cooperative with:
 98  
 99  - *Maintainer Members*: Active package/infrastructure maintainers (one person, one vote on technical decisions)
100  - *User Members*: Organisations and individuals using Cerro Torre in production (vote on strategic direction)
101  - *Asset Lock*: If dissolved, assets go to another cooperative or charity, never to private interests
102  - *Fork Protection*: Forking is explicitly encouraged; the cooperative exists to be useful, not to control
103  
104  See [governance/](governance/) for full documentation.
105  
106  == Project Structure
107  
108  ```
109  cerro-torre/
110  ├── spec/                    # Specifications
111  │   ├── manifest-format.md   # .ctp format specification
112  │   ├── provenance-chain.md  # Attestation requirements
113  │   └── transparency-log.md  # Federated log protocol
114  ├── governance/              # Cooperative documents
115  │   ├── articles.md          # Bylaws
116  │   ├── covenant.md          # Palimpsest Covenant
117  │   └── decisions/           # Decision records
118  ├── src/                     # Ada/SPARK implementation
119  │   ├── core/                # SPARK-verified (crypto, parsing, verification)
120  │   ├── importers/           # Debian, Fedora, etc.
121  │   ├── exporters/           # OCI, OSTree, etc.
122  │   ├── build/               # Build orchestration
123  │   └── policy/              # SELinux generation
124  ├── manifests/               # Package manifests (.ctp)
125  ├── keys/                    # Public keys and policies
126  └── docs/                    # Documentation
127  ```
128  
129  == Status
130  
131  *Phase 0: Foundations* (Current)
132  
133  - [ ] Manifest format specification
134  - [ ] Governance documents
135  - [ ] Ada/SPARK proof of concept
136  - [ ] Software Freedom Conservancy application
137  
138  == Getting Involved
139  
140  Read the [Palimpsest Covenant](governance/covenant.md) first. If those values resonate, see [CONTRIBUTING.md](CONTRIBUTING.md).
141  
142  == Links
143  
144  - *Repository*: [GitLab](https://gitlab.com/cerro-torre) (primary), mirrors TBD
145  - *Governance*: [Cooperative Documents](governance/)
146  - *Specification*: [Manifest Format](spec/manifest-format.md)
147  - *Canonical Authority*: [Verification Policy](docs/handovers/)
148  
149  ---
150  
151  *"Choose Alpine or Cerro Torre — you don't need Wolfi, and you really should demand supply chain transparency."*