Feature/packages

.github/CODEOWNERS

@@ -0,0 +1,13 @@
+# Default owners
+* @strombetta
+
+# CI / release workflows
+/.github/workflows/ @strombetta
+
+# Build system and scripts
+/Makefile @strombetta
+/Makefile.check @strombetta
+/Makefile.help @strombetta
+/make/ @strombetta
+/scripts/ @strombetta
+/config/ @strombetta

CODE_OF_CONDUCT.md

@@ -0,0 +1,66 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as contributors and maintainers pledge to make participation in this project
+a harassment-free experience for everyone, regardless of age, body size,
+visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity and
+orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our mistakes
+- Focusing on what is best for the community
+
+Examples of unacceptable behavior include:
+
+- Sexualized language or imagery, and sexual attention or advances
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Other conduct which could reasonably be considered inappropriate
+
+## Enforcement Responsibilities
+
+Project maintainers are responsible for clarifying and enforcing standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior they deem inappropriate, threatening, offensive, or
+harmful.
+
+## Scope
+
+This Code of Conduct applies within all project spaces and also applies when an
+individual is officially representing the project in public spaces.
+
+## Reporting
+
+Report incidents to the maintainers by contacting the repository owner via the
+email listed on their GitHub profile. If you are unable to use email, open a
+private GitHub discussion (if enabled) or request a private contact channel
+through a maintainer.
+
+We will acknowledge receipt within 5 business days and will keep you informed
+about the process when possible.
+
+## Enforcement Guidelines
+
+Maintainers will follow these Community Impact Guidelines in determining the
+consequences for any action they deem in violation of this Code of Conduct:
+
+1. **Correction**: A private, written warning with clarification.
+2. **Warning**: A formal warning with consequences for continued behavior.
+3. **Temporary Ban**: A temporary ban from participation.
+4. **Permanent Ban**: Permanent removal from the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the Contributor Covenant, version 2.1.
+For details, see:
+https://www.contributor-covenant.org/version/2/1/code_of_conduct.html

MAINTAINERS.md

@@ -0,0 +1,21 @@
+# Maintainers
+
+This document lists the active maintainers for the BugleOS Cross Toolchain
+repository and their areas of responsibility.
+
+## Active Maintainers
+
+- Sebastiano Trombetta (@strombetta) — Lead Maintainer
+  - Toolchain build system (Makefiles, scripts)
+  - Release process and artifacts
+  - CI/CD workflows
+
+## Contact
+
+For questions or support, see SUPPORT.md.
+For security issues, follow SECURITY.md.
+
+## Changes to This File
+
+Updates to this file should be made via pull request and require approval from
+an existing maintainer.

Makefile

@@ -20,8 +20,7 @@
 # SOFTWARE.
 
 include config/paths.mk
-include config/versions.mk
-include make/common.mk
+include make/helpers.mk
 
 ROOT_DIR := $(abspath $(ROOT_DIR))
 
@@ -81,10 +80,10 @@ clean-binutils: clean-gcc ## Remove binutils build directories
 	$(call do_clean,binutils)
 	$(call do_safe_remove,$(BINUTILS1_BUILD_DIR))
 	$(call do_safe_remove,$(BINUTILS2_BUILD_DIR))
-	$(call do_safe_remove,$(BINUTILS_SRC_DIR))
-	$(call do_safe_remove,$(BINUTILS_STAMP))
-	$(call do_safe_remove,$(BINUTILS_ARCHIVE))
-	$(call do_safe_remove,$(DOWNLOADS_DIR)/binutils-$(BINUTILS_VERSION).tar.xz.sig)
+	$(call do_safe_remove_glob,$(SOURCES_DIR),binutils-*)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),.binutils-*-verified)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),binutils-*.tar.xz)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),binutils-*.tar.xz.sig)
 	$(call do_safe_remove,$(DOWNLOADS_DIR)/gnu-keyring.gpg)
 	$(call do_safe_remove_glob,$(LOGS_DIR),binutils-stage1-*.log)
 	$(call do_safe_remove_glob,$(LOGS_DIR),binutils-stage2-*.log)
@@ -118,10 +117,10 @@ clean-binutils-stage2:
 clean-gcc: clean-musl ## Remove GCC build directory
 	$(call do_clean,gcc)
 	$(call do_safe_remove,$(GCC_BUILD_DIR))
-	$(call do_safe_remove,$(GCC_SRC_DIR))
-	$(call do_safe_remove,$(GCC_STAMP))
-	$(call do_safe_remove,$(GCC_ARCHIVE))
-	$(call do_safe_remove,$(DOWNLOADS_DIR)/gcc-$(GCC_VERSION).tar.xz.sig)
+	$(call do_safe_remove_glob,$(SOURCES_DIR),gcc-*)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),.gcc-*-verified)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),gcc-*.tar.xz)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),gcc-*.tar.xz.sig)
 	$(call do_safe_remove,$(DOWNLOADS_DIR)/gnu-keyring.gpg)
 	$(call do_safe_remove_glob,$(LOGS_DIR),gcc-stage1-*.log)
 	$(call do_safe_remove_glob,$(LOGS_DIR),gcc-stage2-*.log)
@@ -151,10 +150,10 @@ clean-gcc-stage2:
 clean-musl: clean-binutils-stage2 clean-gcc-stage2 ## Remove musl build directory
 	$(call do_clean,musl)
 	$(call do_safe_remove,$(MUSL_BUILD_DIR))
-	$(call do_safe_remove,$(MUSL_SRC_DIR))
-	$(call do_safe_remove,$(MUSL_STAMP))
-	$(call do_safe_remove,$(MUSL_ARCHIVE))
-	$(call do_safe_remove,$(DOWNLOADS_DIR)/musl-$(MUSL_VERSION).tar.gz.asc)
+	$(call do_safe_remove_glob,$(SOURCES_DIR),musl-*)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),.musl-*-verified)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),musl-*.tar.gz)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),musl-*.tar.gz.asc)
 	$(call do_safe_remove,$(DOWNLOADS_DIR)/musl.pub)
 	$(call do_safe_remove_glob,$(LOGS_DIR),musl-*.log)
 	$(foreach lib,$(MUSL_LIBS),$(call do_safe_remove_glob,$(SYSROOT)/lib,$(lib).*))
@@ -187,10 +186,10 @@ clean-musl: clean-binutils-stage2 clean-gcc-stage2 ## Remove musl build director
 clean-kheaders: clean-gcc ## Remove Linux UAPI headers build directory
 	$(call do_clean,linux-headers)
 	$(call do_safe_remove,$(LINUX_HEADERS_BUILD_DIR))
-	$(call do_safe_remove,$(LINUX_SRC_DIR))
-	$(call do_safe_remove,$(LINUX_STAMP))
-	$(call do_safe_remove,$(LINUX_ARCHIVE))
-	$(call do_safe_remove,$(DOWNLOADS_DIR)/linux-$(LINUX_VERSION).tar.sign)
+	$(call do_safe_remove_glob,$(SOURCES_DIR),linux-*)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),.linux-*-verified)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),linux-*.tar.xz)
+	$(call do_safe_remove_glob,$(DOWNLOADS_DIR),linux-*.tar.sign)
 	$(call do_safe_remove_glob,$(LOGS_DIR),linux-headers-*.log)
 	$(call do_safe_remove,$(SYSROOT)/usr/include/linux)
 	$(call do_safe_remove,$(SYSROOT)/usr/include/asm)

Makefile.check

@@ -20,7 +20,7 @@
 # SOFTWARE.
 
 include config/paths.mk
-include make/common.mk
+include make/helpers.mk
 
 ROOT_DIR := $(abspath $(ROOT_DIR))
 

README.md

@@ -7,7 +7,7 @@ BugleOS Cross Toolchain builds deterministic cross-compilers and system headers
 ## Repository layout
 
 - `Makefile`: entry point orchestrating staged builds per architecture.
-- `config/`: central version and path definitions, plus per-architecture target triples.
+- `config/`: path definitions and per-architecture target triples.
 - `make/`: stage-specific makefiles for binutils, GCC, and musl.
 - `scripts/`: helper utilities for fetching sources, verifying checksums, loading the environment, and emitting metadata files.
 - `patches/`: placeholder for local patches to upstream sources.
@@ -41,7 +41,7 @@ To list optional variables for a specific target, pass the target name via `TARG
 make help TARGET=toolchain
 ```
 
-To install Linux UAPI headers into the sysroot, set `WITH_LINUX_HEADERS=1` and update `LINUX_VERSION`/`LINUX_SHA256` in `config/versions.mk`:
+To install Linux UAPI headers into the sysroot, set `WITH_LINUX_HEADERS=1` and update `LINUX_VERSION`/`LINUX_SHA256` in `make/linux-headers.mk`:
 
 ```
 make WITH_LINUX_HEADERS=1 TARGET=x86_64-bugleos-linux-musl toolchain

SECURITY.md

@@ -0,0 +1,61 @@
+# Security Policy
+
+This document describes how to report security issues for BugleOS Cross Toolchain.
+
+## Supported Versions
+
+We currently support the latest released version and the `main` branch.
+
+| Version | Supported |
+| --- | --- |
+| latest | :white_check_mark: |
+| older releases | :x: |
+
+## Reporting a Vulnerability
+
+Please report security issues **privately**.
+
+Preferred method:
+1. Open a private GitHub Security Advisory:
+   https://github.com/strombetta/bugleos-make-toolchain/security/advisories
+
+If you cannot use GitHub Security Advisories, contact the maintainer privately
+via the email listed in the maintainer's GitHub profile or commit metadata.
+
+### What to Include
+
+Please include:
+- A clear description of the vulnerability and impact
+- Steps to reproduce (proof-of-concept if possible)
+- Affected versions/commits
+- Any suggested fixes or mitigations
+
+## Response Timeline
+
+We aim to:
+- Acknowledge receipt within **2 business days**
+- Provide a status update within **7 days**
+- Coordinate a fix and disclosure schedule as appropriate
+
+Timelines may vary based on complexity and upstream coordination needs.
+
+## Scope
+
+In scope:
+- Build scripts, CI workflows, release artifacts, and integrity checks
+- Supply-chain or signing/verification issues
+- Toolchain configuration that could compromise build outputs
+
+Out of scope:
+- Vulnerabilities in upstream projects (binutils/GCC/musl/Linux)
+  unless introduced or amplified by this repository
+
+## Coordinated Disclosure
+
+Please do not open public issues or disclose details until a fix or mitigation
+is available. We will coordinate disclosure with you.
+
+## Security Updates
+
+Security fixes will be released as new versions. Release notes will reference
+the advisory and provide upgrade guidance.

SUPPORT.md

@@ -0,0 +1,34 @@
+# Support
+
+This document describes how to get help with BugleOS Cross Toolchain.
+
+## What We Support
+
+We can help with:
+- Build failures in this repository
+- Reproducibility issues and validation checks
+- Documentation clarity and usage questions
+- Feature requests related to the build system
+
+## What We Do Not Support
+
+- Bugs in upstream projects (binutils, GCC, musl, Linux) unless caused by
+  configuration or patches in this repository
+- General operating system setup outside the documented prerequisites
+
+## How to Get Help
+
+1. **Check the docs first**
+   - README.md and CONTRIBUTING.md
+2. **Collect diagnostics**
+   - Host OS and tool versions
+   - Target triplet
+   - Logs from `logs/`
+3. **Choose the right channel**
+   - Questions: GitHub Discussions (if enabled)
+   - Bugs/feature requests: GitHub Issues with clear reproduction steps
+
+## Security Issues
+
+Please do not file public issues for security vulnerabilities.
+Follow SECURITY.md for private reporting.

VERSION

@@ -0,0 +1 @@
+1.0.0

VERSIONING.md

@@ -0,0 +1,38 @@
+# Versioning Policy
+
+BugleOS Cross Toolchain follows Semantic Versioning 2.0.0.
+
+## Version Format
+
+`MAJOR.MINOR.PATCH` stored in the `VERSION` file.
+
+- **MAJOR**: incompatible changes (build outputs, flags, toolchain layout)
+- **MINOR**: backward-compatible feature additions
+- **PATCH**: backward-compatible bug fixes and reproducibility fixes
+
+## Tags
+
+Release tags follow:
+
+`vMAJOR.MINOR.PATCH`  
+or  
+`vMAJOR.MINOR.PATCH-PRERELEASE`
+
+Examples:
+- `v1.2.3`
+- `v1.2.3-rc.1`
+
+## Release Process
+
+1. Update `VERSION` with the next `MAJOR.MINOR.PATCH`.
+2. Create an annotated tag using the `Tag from VERSION` workflow.
+3. CI builds artifacts, verifies checksums, and publishes the release.
+
+## Pre-releases
+
+Pre-releases are allowed (e.g., `-rc.1`, `-beta.1`) and are published as
+pre-release tags in GitHub.
+
+## Hotfixes
+
+Hotfixes increment **PATCH** and follow the same release process.

config/paths.mk

@@ -46,9 +46,6 @@ LINUX_ARCH := $(TARGET_ARCH)
 endif
 MUSL_LDSO   := ld-musl-$(TARGET_ARCH).so.1
 
-HOST_PATH := /usr/bin:/bin:$(PATH)
-CROSS_PATH := $(TOOLCHAIN_ROOT)/bin:$(TOOLCHAIN_TARGET_DIR)/bin:$(STAGE1_TOOLCHAIN_ROOT)/bin:$(STAGE1_TOOLCHAIN_ROOT)/$(TARGET)/bin
-
 TOOLCHAIN_ROOT ?= $(OUT_DIR)/toolchain
 TOOLCHAIN_TARGET_DIR ?= $(TOOLCHAIN_ROOT)/$(TARGET)
 SYSROOT ?= $(TOOLCHAIN_TARGET_DIR)/sysroot