Rose Kernel
This page is part of the open source self-hosted manual.
It documents the Linux distribution artifact that runs inside WSL2 on Windows.
What this artifact is
The release artifact is a WSL-importable Linux root filesystem that contains:
/opt/404/static(STATIC binary)/opt/404/ttl_editor.o(eBPF classifier object)/opt/404/404-init.sh(startup entrypoint)/etc/wsl.conf(boot command wiring)/opt/404/distro-version
You do not need to download STATIC separately when using this distro tarball.
Available on Windows
Release assets
GitHub release assets include:
404-distro.tar.gz404-distro-manifest.json404-distro-manifest.json.sig404-windows-x64.zip
404-windows-x64.zip is the operator bundle for manual Windows setup. It includes:
404-distro.tar.gz- distro manifest files
AppData/Roaming/404/static/profiles/*AppData/Roaming/404/static/static.runtime.tomlAppData/Local/404/wsl/control-token
Public manifest contract
The public update origin exposes:
/distro/manifest.json/distro/manifest.json.sig/distro/<tag>/404-distro.tar.gz/distro/<tag>/manifest.json/distro/<tag>/manifest.json.sig
The manifest points at a versioned, immutable tarball path.
Consumers verify:
- Manifest signature
- Tarball hash inside the signed manifest
Release-manifest shape:
{
"version": "v1.2.3",
"sha256": "<hex>",
"artifact_path": "/distro/v1.2.3/404-distro.tar.gz",
"published_at": "2026-05-06T00:00:00.000Z"
}
Download from GitHub release
On Windows, download release assets from the repository Releases page.
For manual setup, download:
404-windows-x64.zip
Optional direct assets:
404-distro.tar.gz404-distro-manifest.json404-distro-manifest.json.sig
Manual Windows setup (self-hosted)
1. Extract the Windows operator bundle
Example:
2. Copy AppData payload into your Windows profile
From PowerShell:
$src = Resolve-Path .\404-windows
robocopy "$src\AppData\Roaming\404" "$env:APPDATA\404" /E
robocopy "$src\AppData\Local\404" "$env:LOCALAPPDATA\404" /E
This places:
static.runtime.tomland profiles underAppData\Roaming\404\static- control token under
AppData\Local\404\wsl
3. Import the WSL distro tarball
Choose a distro name. Example uses rose:
New-Item -ItemType Directory -Force -Path C:\WSL\rose | Out-Null
wsl --import rose C:\WSL\rose .\404-windows\404-distro.tar.gz --version 2
You can use any distro name for manual inspection. The desktop app currently manages only the fixed WSL distro name 404, so use 404 if you expect the Tauri app to control the runtime.
4. Write the Windows username expected by distro startup
Do not use shell positional parameters such as $0 here. They can write the shell name instead of the Windows username, which makes distro startup look under the wrong C:\Users\...\AppData path.
5. Start the distro
That opens a shell session and runs the distro boot contract.
What happens on startup
/opt/404/404-init.sh does the following:
- Reads
/opt/404/win-user - Resolves config at
/mnt/c/Users/<WIN_USER>/AppData/Roaming/404/static/static.runtime.toml - Mounts
bpffsat/sys/fs/bpf(best effort) - Attaches
ttl_editor.oto all liveeth*egress interfaces (best effort) - Pins
fingerprint_profilesat/sys/fs/bpf/404/fingerprint_profiles - Starts
/opt/404/static --config <path> --mode proxy
The eBPF attach path is interface-discovery based (eth*), and can be overridden with EGRESS_IFACES.
Verify runtime state
Check STATIC process:
Check control plane status:
Check pinned eBPF map:
Check attached filters:
wsl -d rose -- sh -lc 'for d in $(ip -o link show up | awk -F": " "/: eth[0-9]+:/ {print \$2}"); do echo "== $d =="; tc filter show dev "$d" egress; done'
Useful helper scripts from the open-source repo:
scripts/verify-distro-publication.shverifies that a public origin exposes the stable manifest, signature, and versioned tarball correctly.scripts/build-local-distro.shbuilds the musl STATIC binary, compilesttl_editor.o, and packages a WSL-importable tarball when you need a source-built artifact.
Direct public-origin download flow
If you are fetching from a public origin, use manifest-first retrieval:
BASE_URL="https://updates.404privacy.com"
curl -O "$BASE_URL/distro/manifest.json"
curl -O "$BASE_URL/distro/manifest.json.sig"
# then fetch the manifest's artifact_path, for example:
curl -O "$BASE_URL/distro/v1.2.3/404-distro.tar.gz"
Source-maintainer build path
For source builds of the distro tarball, use the repository build documentation in:
404_REL/distro/README.md404 APP/docs/local-distro-build.md
The main packaging helper is: