Release Notes
InterGenOS is built from source, on purpose, so that you run a machine you understand, can modify, and can trust. These release notes record what each version actually ships, so you can verify the system in front of you against a written record.
How release notes are structured
Each released version gets one section, organized the same way every time:
- Highlights — the headline changes that define the release.
- New components — packages, tools, and subsystems added since the previous version.
- Breaking changes — anything that changes existing behavior, on-disk layout, signing trust, or upgrade path. Read this section before you upgrade.
- Other — fixes, documentation, security hardening, and smaller changes that don’t fit the categories above.
InterGenOS follows Semantic Versioning once v1.0 ships.
Until then, development tracks as an unreleased line against the master
branch, and the items staged there ship together at the v1.0 tag.
Current version: 1.0-dev
The current development build identifies as v1.0-dev1. It is pre-release: the
structure below describes what the build produces today. Final per-tier package
counts, the canonical signing-key fingerprint, and the live mirror URL are
fixed at the v1.0 tag, not before.
What the build produces
InterGenOS is assembled by a 20-phase from-source pipeline. The phases run in order:
validate → verify-sources → setup → toolchain → chroot-prep →
chroot-tools → core → config → core-extra → base → kernel →
desktop → ai → extra → bootloader → image → manifest → squashfs →
ukis-verity → iso
A publish step to the binary mirror is optional and runs only on a complete,
signed build.
Packages
Packages are organized into six tiers: toolchain, core, base, desktop,
extra, and ai. As of June 2026 the development line carries roughly 857
packages across those tiers (toolchain ~28, core ~272, base ~23, desktop ~420,
extra ~112, ai ~2). These counts are derived live from the package set and
drift as the build evolves; treat them as a snapshot, not a fixed figure. The
final per-tier numbers are recorded here at the v1.0 release.
What ships today
- Desktop: GNOME 49 on Wayland.
- Package manager:
pkm, the InterGenOS package manager. - Installer: Forge, the native InterGenOS installer. See the Forge guide.
- Trusted boot: a signed Secure Boot chain, dm-verity integrity over the read-only system image, and Unified Kernel Image (UKI) signing.
- InterGen: a tiered, hardware-detected, offline-first local assistant built on Qwen models. It runs on the machine, with zero telemetry, and selects a model tier based on detected hardware.
- InterGen Sentinel: a pluggable security scanner. The default configuration uses Local-Rules and a Local-Qwen model, fully on-device. Six cloud providers are available strictly opt-in: Claude (Anthropic), Gemini (Google), Copilot (Microsoft), ChatGPT (OpenAI), Grok (xAI), and DeepSeek. Routing a scan to a cloud provider is the “Phone-A-Friend” (Frontier/Cloud Escalation) path, and it never engages unless you choose it.
Planned, not yet shipped
The following are on the roadmap and are not part of the current build. They will appear in release notes only once they ship:
- A KDE/Plasma (Qt6) desktop option and switchable desktops.
- Curated application campaigns covering tools such as Kdenlive, OBS, Krita, Blender, FreeCAD, GnuCash, and Boxes.
Work remaining before the v1.0 tag
Tracked items still open ahead of the first tagged release:
- Forge Secure Boot validation on the first bare-metal hardware target.
- Microsoft
shim-reviewsubmission. pkmpackaged as a system tool installable on a fresh target.- Source mirror completion, including the tarball upload path and an upstream version poller.
- Live ISO infrastructure: custom initramfs, squashfs builder, and boot menu.
- The Forge GUI frontend (GTK4 + libadwaita).
- InterGen Tier 1 integration (
intergen-consoleandintergen-daemon). - InterGen Sentinel scanning with the Local-Rules and Local-Qwen defaults.
Security and supply chain
The development line removed PyPI from the build path for the maturin and
python-cryptography packages in response to a 2026 PyPI supply-chain attack
window. Both now build from upstream source tarballs through a reproducible
cargo-vendor pipeline. Vendored Rust crate archives were standardized on the
POSIX pax format to eliminate a class of path-length failures.
When v1.0 ships
The 1.0.0 entry is finalized when v1.0 ships. It will record the complete from-source build chain, the first signed publish to the binary mirror, the signed Secure Boot chain (shim, boot loader, UKI, dm-verity), the local AI assistant (InterGen and InterGen Sentinel), the GNOME 49 Wayland desktop, and the Forge installer flow that the image ships.
Earlier history
Pre-2026 builds from 2015–2016 are archived under the InterGenOS GitHub organization. They are not covered by these release notes. The 2026 work is a from-scratch rewrite and shares no code with the original builds.