Package Components, CVE Mitigation and eLxr Distributions
When we talk about packages here, what we’re really referring to are the software applications you use on your eLxr system. While eLxr provides a robust Linux experience, without applications and the packages that deliver them initially and the updates to keep them stable, there would not be much to do. Often times Linux packages include dependencies, such as another application or library, for them to function as intended. Packages are one part of the overall software delivery to your eLxr system.
Packages reside in repositories, which are directories on a server that contain many sets of packages. These repositories include different types of packages, typically organized by the package function. For example, you can see a list of eLxr repositories on our Projects page.
Software package repositories comprise different categories, or components, such as Main, main-debian-community and others. In your eLxr distribution, the /etc/apt/sources.list file, used by the Apt Package Manager to reference which package repositories to use for your distribution, includes the component name(s) in the string for each repository. The following example of the sources.list file for bianca includes the all the components discussed in this topic.
$ cat /etc/apt/sources.list
deb https://mirror.elxr.dev/elxr bianca main main-debian-community non-free-firmware non-free-firmware-debian-community contrib
deb https://mirror.elxr.dev/elxr bianca-security main main-debian-community non-free-firmware non-free-firmware-debian-community contrib
deb https://mirror.elxr.dev/elxr bianca-updates main main-debian-community non-free-firmware non-free-firmware-debian-community contrib
Components
Main
The main component contains applications that are supported by the eLxr team. This includes the most popular and most reliable open-source applications available, many of which are included by default when you install eLxr. Software in main includes a hand-selected list of applications that the eLxr developers, community, and users feel are most important, and that the eLxr security and distribution team are willing to support. When you install software from the main component, you are assured that the software will come with security updates and that commercial technical support is available from elxr.
Main-debian-community
The main-debian-community component is a snapshot of the free, open-source, and upstream Debian repository. It houses an extensive collection of the open-source software in the upstream Debian Main repository. eLxr does not provide a guarantee of regular security updates, including CVEs, for software in the main-debian-community component, but will provide these where they are made available in the upstream Debian community. Users should understand the risk inherent in using these packages. Popular or well supported pieces of software will move from Debian-community into main if they are backed by maintainers willing to meet the standards set by the eLxr team.
Additional components
The other components that comprise the eLxr distribution include contrib, non-free-firmware and non-free firmware-debian-community. Similar to main-debian-community above, these components house a collection of open-source and commercial software from upstream Linux sources beyond Debian, all built from a range of sources. eLxr does not provide a guarantee of regular security updates, but will provide these where they are made available in the upstream Debian or contributor community.
Component Descriptions at a Glance
Refer to the following table for a brief description of the available eLxr package components.
| Component | Description |
|---|---|
| main | Core open-source packages, with security fixes supported by eLxr |
| non-free-firmware | Firmware blobs, such as firmware-nonfree and intel-microcode |
| contrib | eLxr community open-source packages |
| main-debian-community | Community-maintained main packages |
| non-free-firmware-debian-community | Community-maintained firmware |
Note: Aside from the main component, there is no guarantee of security fixes and CVE mitigation.
eLxr Distributions
eLxr includes two distributions, aria and bianca:
- aria is based on Debian 12, codename bookworm. For additional release information, see Debian 12: 12.13 released
- bianca is based on Debian 13, codename trixie. For additional-release-information, see Debian 13: 13.3 released
For the latest eLxr release information, check out our News page. To download either release and get started, see Downloads.
Each distribution mirrors an upstream Debian repository. The eLxr component repositories all derive from Debian source, as described in the previous section.
Component Mapping by Distribution
The following table depicts how each component maps to the eLxr distributions, with a couple exceptions. For example, there is no mapping for the main-debian-community and non-free-firmware-debian-community components because they did not exist in aria, or the Debian bookworm distribution that aria derives from.
| Component | Aria | Bianca | Description |
|---|---|---|---|
| main | yes | yes | Core open-source packages |
| non-free-firmware | yes | yes | Firmware blobs, such as firmware-nonfree and intel-microcode |
| contrib | yes | yes | eLxr community open-source packages |
| main-debian-community | no | yes | Community-maintained main packages |
| non-free-firmware-debian-community | no | yes | Community-maintained firmware |