hekate/microsoft-systemd-findings-public
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
microsoft-systemd-findings-.../10-uapi-group.md
hekate 5850d38f9a Public release, findings
2026-03-23 06:01:08 +00:00

146 lines
7.4 KiB
Markdown
Raw Permalink Blame History

# UAPI Group Investigation
## What Is the UAPI Group?
The Linux Userspace API (UAPI) Group is a community for standardizing how Linux operating systems are built, deployed, run, and securely updated. It serves as a central gathering place for specifications, documentation, and ideas around image-based Linux.
| Field | Detail |
|---|---|
| Founded | October 2022, as outcome of the first Image-Based Linux Summit in Berlin |
| Status | Self-described as "in the process of constituting itself" and "exploring the problem space" |
| Website | uapi-group.org |
| GitHub | github.com/uapi-group |
| License | CC-BY-4.0 for all specifications |
## The Critical Finding: Who Founded It
The UAPI Group was founded by exactly three people:
| Founder | Role at Founding | Current Affiliation | Role in birthDate Merge |
|---|---|---|---|
| Lennart Poettering | systemd creator | Amutable (Chief Engineer) | Blocked the revert, locked discussion |
| Luca Boccassi | systemd maintainer | Microsoft | Merged PR #40954 against 37:1 opposition |
| Christian Brauner | Linux kernel VFS maintainer | Amutable (CTO) | No direct role in birthDate, but co-founder of Amutable |
The same three individuals who set Linux userspace API standards also controlled the birthDate merge decision. Two of them then co-founded the startup that commercializes "verified integrity for Linux."
There are no named officers, board, or elected leadership positions. Decisions flow through an informal maintainer model.
## Governance Structure
The UAPI Group is governed as a Free Software project, not as a formal standards body:
- Anyone can submit comments and reviews
- Every maintainer has the right to merge changes if they feel they hold the expertise
- Non-trivial changes require approval from at least one maintainer (not the author)
- Regular contributors may receive invitations to join the maintainer team
- No conflict-of-interest policy
- No formal membership requirements
- No voting or consensus mechanisms
The governance model mirrors systemd's own model, which means the same governance failures that enabled the birthDate merge also exist at the standards level.
## Contributing Organizations
The UAPI Group operates as an open community without formal membership. Contributing participants include:
Companies: Microsoft, Amazon/AWS, Meta, Red Hat, Canonical, SUSE, Edgeless Systems, Pengutronix
Distributions/Projects: Ubuntu Core, Debian, GNOME OS, Fedora CoreOS, Endless OS, Arch Linux, openSUSE, Flatcar, NixOS, carbonOS, postmarketOS, Freedesktop-sdk
Tooling/Infrastructure: systemd, mkosi, image-builder/osbuild, tpm2-software, System Transparency, buildstream, BTRFS, bootc, composefs, (rpm-)ostree
## Published Specifications
| ID | Title | Description |
|---|---|---|
| UAPI.1 | Boot Loader Specification | Distribution-independent boot loader menus |
| UAPI.2 | Discoverable Partitions Specification | GUID UUIDs for auto-discovery of partition semantics |
| UAPI.3 | Discoverable Disk Images | Self-describing system image format |
| UAPI.4 | Extension Images | Extending base images with overlays |
| UAPI.5 | Unified Kernel Images (UKI) | UEFI PE binaries containing kernel + initrd + cmdline |
| UAPI.6 | Configuration Files Specification | Default locations for common config files |
| UAPI.7 | Linux TPM PCR Registry | How TPM PCRs are used on Linux |
| UAPI.8 | Package Metadata for Executable Files | Packaging metadata in ELF/PE binaries |
| UAPI.9 | Linux File System Hierarchy | Directory layout (successor to systemd's file-hierarchy) |
| UAPI.10 | Version Format Specification | Version string semantics |
| UAPI.11 | File Hierarchy for Verification of OS Artifacts (VOA) | Verification of OS artifacts |
None of the specifications directly address age verification, identity, or user metadata. The specs focus on boot, disk images, TPM, filesystems, and kernel images.
The specifications do, however, create the infrastructure layer (trusted boot, measured boot, verified images, TPM integration) that Amutable is now commercializing.
## Annual Summits
| Year | Date | Location | Host |
|---|---|---|---|
| 2022 | Oct 4-5 | Berlin | Founding summit |
| 2023 | Sep 12 | Microsoft's Berlin office | Day before All Systems Go! |
| 2024 | Sep 24 | Berlin | BoF-style sessions |
### FOSDEM Devrooms
- FOSDEM 2023: "Image-Based Linux and Secure Measured Boot"
- FOSDEM 2025: "Image-Based Linux and Boot Integrity"
## Is It a De Facto systemd Standards Body?
The community actively debates this question.
### Evidence of deep systemd alignment:
- All three founders are systemd maintainers or closely affiliated
- Several UAPI specs were originally systemd documentation "spun off" - UAPI.9 (Linux File System Hierarchy) moved from systemd's `file-hierarchy` man page
- Many specs describe concepts first implemented in systemd
- FOSDEM CFPs cross-posted to `systemd-devel` mailing list
### The Criticism
Neal Gompa (Fedora/AlmaLinux contributor) publicly stated:
> "The UAPI Group isn't a neutral space: it's a systemd-driven project."
### The Rebuttal
Boccassi argued that not all specs are systemd-derived, pointing to UAPI.6 (Configuration Files Specification) driven by `libeconf`.
### Assessment
The UAPI Group functions as a de facto standards venue for the systemd/image-based Linux ecosystem. While nominally open, its founders, specification lineage, and technical direction are overwhelmingly aligned with systemd's vision.
## Amutable's Relationship to the UAPI Group
No formal "Amutable" organizational involvement exists - the UAPI Group predates Amutable (founded 2022 vs. Amutable announced January 2026). But the connection is total:
- 2 of 3 UAPI Group founders are Amutable co-founders (Poettering, Brauner)
- The third founder (Boccassi) remains at Microsoft and merged the birthDate PR
- Multiple Amutable engineers (Zbigniew, Daan, Michael Vogt) are active in the UAPI/systemd ecosystem
- Amutable's mission ("determinism and verifiable integrity") maps directly onto UAPI spec areas (TPM, UKI, Discoverable Partitions, Trusted Boot)
- Amutable leadership stated they will remain "deeply involved in the systemd ecosystem"
In effect, Amutable is a commercial venture built by the people who created the UAPI Group, working on commercially productizing the same technical concepts the UAPI Group standardizes.
## The Structural Concern
```
UAPI Group (sets Linux userspace API standards)
├── Founded by Poettering, Boccassi, Brauner
systemd (implements the standards as infrastructure)
├── Maintained by Poettering, Boccassi, Zbigniew, Daan
Amutable (commercializes verified integrity built on the standards/infrastructure)
├── Founded by Poettering, Brauner, Kühl
├── Employs Zbigniew, Daan, and others
Result: Same small group sets standards → implements them → profits from them
with no COI disclosure at any level
```
## Sources
- [UAPI Group homepage](https://uapi-group.org/)
- [UAPI Specifications](https://uapi-group.org/specifications/)
- [LWN: 2022 Image-Based Linux Summit](https://lwn.net/Articles/912774/)
- [LWN: 2023 Summit](https://lwn.net/Articles/946526/)
- [LWN: 2024 Summit](https://lwn.net/Articles/994704/)
- [Microsoft 2023 Summit blog](https://techcommunity.microsoft.com/blog/linuxandopensourceblog/the-2023-image-based-linux-summit/4000271)
- [LWN: Finding a successor to the FHS](https://lwn.net/SubscriberLink/1032947/67e23ce1a3f9f129/)
- [GitHub: uapi-group](https://github.com/uapi-group)
Reference in a new issue View git blame Copy permalink