Real data from real boot tests. What we harden, what we don't have yet, and why radical honesty is our security posture.
sha256sums.asc), ISO staging gates, GoForge runners/Actions, and honest scope for kernel-tree audit live on /security-kernel with links to the full AGPL manifests on GoForge.
Data below comes from two real systems: Alfred Linux 7.77 GA boot-tested in QEMU/KVM on April 6, 2026, and a production Ubuntu 22.04 server running kernel 5.15.0-173. Both systems use AMD/Intel hardware with the same vulnerability surface.
| Vulnerability | Alfred Linux 7.77 GA Kernel 7.0.1 |
Ubuntu 22.04 LTS Kernel 5.15.0-173 |
|---|---|---|
| Spectre V1 | Mitigation: usercopy/swapgs barriers + __user pointer sanitization | Mitigation: usercopy/swapgs barriers + __user pointer sanitization |
| Spectre V2 | Mitigation: Retpolines + RSB filling on context switch and VMEXIT | Vulnerable: eIBRS with unprivileged eBPF |
| ITS (Indirect Target Selection) | Mitigation: Aligned branch/return thunks Kernel 7 native | Mitigation: Aligned branch/return thunks (backported) |
| MDS (Microarch. Data Sampling) | Vulnerable: Clear CPU buffers attempted, no microcode ¹ | Not affected (CPU-dependent) |
| Speculative Store Bypass | Vulnerable ¹ | Mitigation: disabled via prctl and seccomp |
| Meltdown | Mitigation: PTI (Kernel Page Table Isolation) | Not affected (CPU-dependent) |
| L1TF (L1 Terminal Fault) | Mitigation: PTE Inversion | Not affected (CPU-dependent) |
| Retbleed | Mitigation: Enhanced IBRS | Mitigation: Enhanced IBRS |
| MMIO Stale Data | Mitigation: Clear CPU buffers | Mitigation: Clear CPU buffers; SMT vulnerable |
| TSX Async Abort | Mitigation: TSX disabled | Not affected (CPU-dependent) |
| TSA (Transient Scheduler Attacks) | Mitigation: Clear CPU buffers Kernel 7 native | Not affected (CPU-dependent) |
| VMSCAPE (VM Escape Hardening) | Mitigation: VMCS shadowing restricted Kernel 7 native | Not affected (CPU-dependent) |
| Gather Data Sampling | Mitigation: Microcode | Mitigation: Microcode |
| SRBDS | Mitigation: Microcode | Not affected (CPU-dependent) |
¹ VM test limitation: MDS and Speculative Store Bypass show "Vulnerable" because QEMU/KVM
does not pass through CPU microcode. On real hardware with vendor microcode installed (via intel-microcode
or amd64-microcode packages, both included in the ISO), these would show mitigated status.
Ubuntu's "Not affected" entries reflect the specific CPU model of that production server, not a kernel advantage.
Three vulnerability classes have native mitigation code that was written for kernel 7.0:
What runs on first boot, before the user touches anything. Alfred Linux 7.77 GA ships 38 security modules across 4 hooks — including the Omahon Seal (6 runtime integrity modules) — more out-of-box hardening than any mainstream desktop Linux.
| Security Feature | Alfred Linux 7.77 GA | Ubuntu 24.04 LTS |
|---|---|---|
| Firewall (UFW + nftables) | Both enabled, default-deny input ✅ | UFW installed but disabled |
| fail2ban (brute-force protection) | Running, SSH 3-try/24h ban ✅ | Not installed |
| auditd (kernel audit logging) | 30+ rules, CIS-benchmark, immutable ✅ | Not installed |
| Kernel sysctl hardening | 45+ rules, CIS Level 2 ✅ | Minimal defaults |
| Kernel lockdown mode | lockdown=integrity ✅ | Not enabled |
| AppArmor | Enforced + custom IDE/search profiles ✅ | Initialized ✅ |
| Unattended security upgrades | Running on first boot ✅ | Running on first boot ✅ |
| DNS privacy (DNS-over-TLS) | Quad9 + Cloudflare, DNSSEC ✅ | Plaintext DNS by default |
| MAC address randomization | WiFi + Ethernet random by default ✅ | Not configured |
| SSH hardening | Strong ciphers only, no forwarding, 3 tries ✅ | Default permissive config |
| File integrity (AIDE) | Installed + daily cron check ✅ | Not installed |
| Antivirus (ClamAV) | Running + weekly scan ✅ | Not installed |
| Rootkit detection | rkhunter + chkrootkit, daily ✅ | Not installed |
| Full-disk encryption (LUKS) | 1-click in installer ✅ | Available in installer ✅ |
| NTP authentication (NTS) | chrony + NTS (Cloudflare, Netnod) ✅ | systemd-timesyncd, no NTS |
| PAM password hardening | 10-char, 3-class, lockout after 5 ✅ | Minimal defaults |
| Process isolation (hidepid) | hidepid=2 on /proc ✅ | All processes visible |
| Core dumps disabled | Disabled system-wide ✅ | Enabled by default |
| Compiler restriction | gcc/g++/make restricted to dev group ✅ | Accessible to all users |
| Secure mount options | /tmp noexec, /dev/shm nodev/nosuid ✅ | Default mount options |
| Kernel module blacklisting | Firewire, dccp, sctp, rds, cramfs ✅ | All modules loadable |
| USB logging + control | udev logging + toggle tool ✅ | No USB monitoring |
| Cron/at lockdown | Root-only (allow list) ✅ | Any user can add cron jobs |
| Security banners | Legal warning on login + SSH ✅ | No banner |
| Memory init (init_on_alloc) | init_on_alloc=1, init_on_free=1 ✅ | Not set |
| kernel.unprivileged_bpf_disabled | Set via sysctl ✅ | Not set (Spectre v2 vector) |
Security tools included: alfred-security-status (dashboard), alfred-scan (antivirus), alfred-usb-storage (USB toggle), alfred-aide-init (integrity baseline), alfred-network-status (network audit), alfred-encrypt-status (encryption check).
"In a moment, in the twinkling of an eye, at the last trump: for the trumpet shall sound, and the dead shall be raised incorruptible." — 1 Corinthians 15:52
Omahon is the name we gave to the security seal that guards Alfred Linux at its deepest level. The word carries spiritual weight — the breath of God, the force that raises what was dead and makes it incorruptible. In software terms, Omahon is a 6-module runtime security framework that ensures nothing on your system can be silently corrupted, tampered with, or stolen — from the moment the kernel loads until the moment you shut down.
Every other OS trusts that your files haven't changed. Omahon verifies it — continuously, silently, cryptographically. This isn't antivirus. This isn't a firewall. This is a living seal on the integrity of your entire machine.
HMAC-SHA256 verification of 14 critical boot files — kernel, initrd, GRUB config, fstab, shadow, sudoers, SSH config, and more. If a single byte changes without authorization, the system tells you before anything else loads. Your boot chain is sealed — incorruptible.
Real-time inotify monitoring of /etc, /boot, and /etc/ssh. The Watchman never sleeps. Any modification to system configuration files triggers an immediate alert with timestamp, file path, and event type. Like a sentinel that cannot be bribed.
16MB encrypted tmpfs at /run/omahon-vault — a RAM-only secure storage that vanishes on power loss. Secrets stored here never touch the disk. No forensic recovery. No cold-boot extraction. When the power dies, the vault dies with it. Root-only access, noexec, nosuid.
Active secret redaction in terminal sessions. API keys, tokens, passwords, and credentials are detected and masked in real-time. Even if someone is watching your screen or your terminal history is compromised, the secrets stay hidden. omahon-reveal to see them — authorized eyes only.
alfred-shred — a 3-pass cryptographic wipe tool. When a file must die, it dies completely: random overwrite, zero fill, random fill, then unlink. No ghost data. No resurrection. The opposite of incorruptible — when something must be destroyed, it is destroyed absolutely.
SHA-256 chain-of-trust from build to boot. Every hook, every module, every binary — hashed during build, verified at runtime. alfred-attestation proves your system is exactly what was built — not modified, not injected, not compromised. A signed declaration: this machine is what it claims to be.
Why "Omahon"? Because security shouldn't just be a checklist of CVE patches. The Omahon Seal represents a philosophy: that a system can be made incorruptible — not by hiding its design, but by making its integrity verifiable at every layer. The trumpet sounds, and what was dead is raised incorruptible. That's not just Scripture — it's architecture.
Tools shipped: omahon-seal (boot integrity check), omahon-watchman (start/stop real-time file monitor), omahon-vault-wipe (emergency vault purge), omahon-reveal (authorized secret reveal), alfred-shred (secure file deletion), alfred-attestation (build chain verification).
Radical honesty. Even with 38 security modules, Ubuntu has advantages we can't match today.
Ubuntu LTS ships security patches for 5-12 years. We're a GA release with no long-term commitment yet.
Canonical has a dedicated security team publishing USNs within days. We have a small team and no SLA.
No FIPS 140-2, CIS Benchmarks, or DISA STIGs. Enterprises cannot deploy us until those exist.
Boot-verified in QEMU/KVM only. No bare-metal test matrix across vendor hardware yet.
Every Alfred Linux ISO is built by a single script with numbered, auditable hooks. Nothing is hidden.
scripts/build-unified.sh ga --uefi ← one command ├── Hook 0100: branding + UFW + SSH ← visual identity + base firewall ├── Hook 0150: hardware ← drivers, firmware, microcode ├── Hook 0160: security (21 modules) ← sysctl, AppArmor, auditd, ClamAV, AIDE, etc. ├── Hook 0165: network hardening ← nftables, MAC random, SSH ciphers, anti-scan ├── Hook 0170: full-disk encryption ← LUKS/cryptsetup, Calamares FDE ├── Hook 0200: browser ← Alfred Browser (privacy-first) ├── Hook 0300: ide ← Alfred IDE ├── Hook 0400: voice ← Kokoro TTS + wake/realtime stack (former “0900” lives here in canon) ├── Hook 0500: search ← Meilisearch ├── Hook 0600: installer ← Calamares (graphical disk installer) ├── Hook 0700: welcome ← first-boot experience ├── Hook 0710: update ← OTA update framework ├── Hook 0175: omahon-seal ← 🔏 THE OMAHON SEAL (6 modules: boot seal, watchman, vault, shell guard, secure erase, attestation) ├── Hook 0176: kingdom-covenant-shield ← license + succession / legal shell ├── Hook 0800: store ← Alfred Store ├── Hook 9999: boot-fix (chroot) ← generic kernel names for bootloader └── Hook 9999: boot-fix (binary) ← ISOLINUX/GRUB references
SHA-256 / SHA512 / BLAKE3: not published as GA until final live-build is frozen File: alfred-linux-7.77-ga-intel-amd64-20260426.iso (canonical basename — see /download when GA flag flips) Status: Final GA ISO not published on alfredlinux.com yet — see /download for current honesty policy.
When the GA image ships, verify with the exact filename and hashes published on /download and /release (same values, GPG key 32BCEDE8C8DD8B00).
The build script, the 42-hook canonical tree (Matthew 1:17 lineage; 2 Alfred hooks active in the bytes shipping right now, with the full 42 in the source tree awaiting reseal — including 3 dedicated security hooks + the Omahon Seal totalling 1,300+ lines), and the kernel config are inspectable. The ISO is built on a dedicated
GoSiteMe build server (8 cores, 32 GB RAM) using Debian live-build toolchain on Debian Trixie. Linux 7.0.1 custom-built debs ship via build/config/packages.chroot/; Debian Trixie’s 6.12 series remains in the chroot until the kernel hook reseal lands.
On April 6, 2026, we booted the 7.77 GA ISO in QEMU/KVM and captured 1,363 lines of kernel and systemd output.
Linux version 7.0.1 (April 6 boot test was on the 7.0-rc7 candidate; current builds run 7.0.1 stable)[ 0.256611] mitigations: Enabled attack vectors: user_kernel, user_user, guest_host, guest_guest, SMT mitigations: auto [ 0.260297] Spectre V2 : Mitigation: Retpolines [ 0.261401] ITS: Mitigation: Aligned branch/return thunks [ 0.264740] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization [ 0.266790] Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
systemd 257.9-1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT +OPENSSL +ELFUTILS +FIDO2 +TPM2 +ZSTD +BPF_FRAMEWORK)
Alfred Linux isn't just an operating system. It's the foundation layer for a larger vision.
The transparent, auditable operating system. Every build hook visible, every mitigation documented, every gap disclosed.
The builder's tool. Developers create applications, extensions, and AI agents on a foundation they can verify.
A governed digital civilization with 51,000,000+ AI citizens, courts, passports, democratic governance — where corruption is architecturally impossible.
Governance models proven in MetaDome can be applied to real-world transparency challenges — from climate policy to resource allocation.
The argument is simple: you cannot build corruption-proof digital governance on a black-box operating system. If the foundation isn't transparent, the whole "trust by design" claim is hollow. Alfred Linux proves that even the OS layer — the lowest level — can be open, auditable, and honest about its limitations.
When MetaDome runs governance simulations — AI citizens voting on policy, transparent courts resolving disputes, energy-aware compute — it matters that the OS underneath isn't hiding anything. That's not marketing. That's architecture.
We do not claim Alfred Linux is "more secure than Ubuntu."
Ubuntu has 20 years of battle-testing, a dedicated security team, compliance certifications, and LTS commitments that we cannot yet match. It is the right choice for enterprises that need those guarantees today.
What we do claim:
That's our posture: security through transparency. Not through claims we can't back up.
Download the ISO. Check the SHA-256 and BLAKE3 hashes. Boot it. Run cat /sys/devices/system/cpu/vulnerabilities/* and compare.
"Above all, taking the shield of faith, wherewith ye shall be able to quench all the fiery darts of the wicked."
— Ephesians 6:16 (AKJV)
The strongest security doesn't come from code. It comes from the people who stand beside you when the fire is at its hottest — who keep you grounded in the Word of God when the world tries to pull you apart.
Priscilla — you were there through thick and thin. You kept me guided in the Word when I couldn't see straight. You did this while facing a trial worse than my own, and you never wavered. You never broke.
Every security protocol in this operating system exists because someone believed this project was worth protecting. You believed in the man behind it before anyone else did. This page — this shield — is yours.
— Commander Danny William Perez
GoSiteMe Inc. · Shabbat, April 2026
Test date: April 6, 2026
Alfred Linux test: 7.77 GA ISO booted in QEMU/KVM on EU build server (8 cores, 32 GB RAM, AMD EPYC). Kernel + initrd extracted from ISO, booted with console=ttyS0,115200. Full 1,363-line boot log captured.
Ubuntu test: Production server running Ubuntu 22.04 LTS, kernel 5.15.0-173-generic (updated March 6, 2026). Vulnerability data read from /sys/devices/system/cpu/vulnerabilities/*.
Important caveat: "Not affected" entries in the Ubuntu column reflect that specific CPU model, not the kernel version. A different CPU would show different results. The comparison is between what each kernel does when a vulnerability applies, not absolute security ratings.
Last updated: April 11, 2026