veilor-os/docs/STRATEGY.md

# veilor-os Strategy — Hybrid kickstart bootstrap + bootc OCI

Decision date: **2026-05-05**
Locked at: **v0.5.31 → v0.7 spike → v1.0**

## TL;DR

- Keep the Anaconda-driven kickstart ISO as the **bootstrap installer**
  (LUKS UX is mature, single passphrase prompt, custom partitioning
  works).
- On first boot, the installed system is automatically rebased to a
  **veilor-os OCI image** built via BlueBuild on top of secureblue's
  `securecore-kinoite-hardened-userns`.
- All future updates flow through `bootc upgrade` — atomic A/B,
  instant rollback, cosign-signed.
- The kickstart-driven mutable-root path is deprecated at v1.0; kept
  alive as fallback through v0.7.

## Why hybrid, not pure pivot

Pure pivot to bootc-from-scratch (Agent 3's spike plan) was **1 week
to first ISO**. Pure pivot to layering on secureblue is **2 days to
first ISO** because the hardening work is already done. But both
require throwing away the partitioning UX we already have working in
Anaconda.

Hybrid:
- **Day-zero install:** Anaconda kickstart + custom partitioning +
  LUKS prompt (what we have today). User experience = unchanged.
- **First boot, post-LUKS-unlock:** `bootc rebase
  ghcr.io/veilor/veilor-os:43` runs once; pulls the OCI image; next
  reboot lands in the veilor OCI tree.
- **Day-2:** `bootc upgrade` cadence for everything from then on.

We keep what works, pivot the part that doesn't.

## Why secureblue underneath

| Question | Answer |
|---|---|
| Maintainers | secureblue: 30 contributors, 56 commits/5wks. veilor-os: solo. |
| Hardening surface | secureblue ships sysctl + kargs + SELinux + USBGuard + hardened-malloc + DoT — far more than we'd build alone. |
| Build pipeline | BlueBuild → cosign-signed OCI in GH Actions (`build-all.yml`, `trivy.yml`). |
| Update model | bootc upgrade with A/B + instant rollback + signed image chain. |
| Variants | `kinoite-hardened-userns` is the KDE+Wayland+SELinux variant we'd want. |
| License | Apache-2.0 (compatible with our MIT). |

What we override in our recipe:

- **Browser**: Trivalent (their fork) → Brave / Mullvad-Browser.
  Single-maintainer browser fork is unacceptable risk for daily-driver
  audience.
- **`run0` instead of sudo**: revert. Breaks too many workflows.
- **Xwayland disabled**: revert. Some apps still need it.
- **veilor branding**: theme, KDE color scheme, Plymouth, SDDM, font,
  os-release. All `overlay/*` ports verbatim from current repo.

## Strategic credibility win

secureblue does NOT publish a threat model. Athena OS does, and it's
their main differentiator. We've already drafted
`docs/THREAT-MODEL.md` (Agent 5 of 2026-05-05 wave). Publishing that
*before* the v0.7 launch positions veilor-os ahead of secureblue and
Athena on the one axis that matters most for a security-branded
distro: **honest, scoped, public threat model**.

## Roadmap implications

| Version | Status | Path |
|---|---|---|
| v0.5.31 | shipped | Anaconda kickstart, mutable root |
| v0.5.32 | active — top blockers from 9-agent wave | Anaconda kickstart |
| v0.5.x → v0.6 | maintenance | Anaconda kickstart, ergonomics + UX polish |
| **v0.7 spike** | **2-day BlueBuild prototype** | First veilor OCI image extending secureblue-kinoite-hardened |
| v0.7 ship | ISO bootstraps install, first boot rebases to OCI | Hybrid path live |
| **v1.0** | **bootc-only**, kickstart deprecated | `bootc upgrade` for all updates |

The `bootc-image-builder` spike plan (Agent 3) is **superseded** by
this hybrid: don't build a Containerfile from scratch on
`fedora-bootc:43`. Instead, write a BlueBuild recipe on
`securecore-kinoite-hardened-userns`. Spike compresses 1 week → 2 days.

## Next concrete steps

### v0.5.32 — current (no strategy change)

Ship the 7 blockers from `docs/research/2026-05-05-agent-wave/`:
suspend/resume wifi fix, firstboot WantedBy, USBGuard id-rules,
firewalld tailscale0 zone, KMS modeset, /etc/skel branding, virtio-9p
log capture.

### v0.7-spike (2 days)

1. New repo dir: `bluebuild/recipe.yml`.
2. `from`: `ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`.
3. Override modules:
   - `type: files` — stamp our `overlay/*` tree (branding, themes,
     veilor scripts, sddm theme, plymouth theme).
   - `type: rpm-ostree` — install Brave + restore Xwayland.
   - `type: rpm-ostree` — remove Trivalent.
   - `type: brand` — PRETTY_NAME, GRUB_DISTRIBUTOR, distributor URL.
4. `.github/workflows/build-bluebuild.yml` — pull BlueBuild action,
   build + cosign sign + push to GHCR.
5. `kickstart/install.ks` — add a one-shot `veilor-firstboot-rebase`
   service that runs `rpm-ostree rebase ghcr.io/veilor/veilor-os:43`
   then disables itself. User reboots once and is on the OCI image.

### v1.0 — bootc-only

- Drop `kickstart/veilor-os.ks`, drop `livecd-creator` workflow.
- Keep `installer-iso.toml` for the bootstrap ISO (built via
  bootc-image-builder); the OCI image is the source of truth.
- `veilor-update` becomes thin `bootc upgrade --apply` wrapper.

## Open questions

- Does secureblue accept upstream contributions? If yes, send our
  USBGuard id-based-rules fix and our threat model framework.
- Brave vs Mullvad-Browser: Brave has telemetry concerns out of box;
  Mullvad-Browser is Tor-Browser-derived but not designed for
  daily-driver. Test both in spike.
- Recovery flow when bootc rebase fails on first boot — need fallback
  to keep the kickstart-installed system bootable. Likely already
  handled by bootc's A/B; verify in spike.
- Fedora 44 transition: secureblue tracks Fedora releases (current
  `v4.9` on F44). If we follow, we get F44 for free at the same time
  upstream does.

## See also

- `docs/THREAT-MODEL.md` — drafted, needs publish for v0.7
- `docs/ROADMAP.md` — to be updated to reflect this strategy
- `docs/research/2026-05-05-agent-wave/03-bootc-spike-plan.md` —
  superseded by this hybrid (kept as reference for the
  Containerfile-from-scratch alternative)
- secureblue: <https://github.com/secureblue/secureblue>
- BlueBuild: <https://blue-build.org>
docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) \| Axis \| secureblue \| Athena OS \| \|---\|---\|---\| \| Maintainers \| 30 \| 8 \| \| MAC enforcing OOB \| SELinux + custom policy \| AppArmor active, profiles mostly unconfined \| \| Atomic / immutable updates \| Yes (bootc/rpm-ostree) \| No (rolling) \| \| Threat model published \| No \| Yes \| \| MS-signed Secure Boot shim \| Yes (Fedora shim) \| Yes (with auto-MOK) \| Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags 2026-05-05 15:05:59 +01:00			`# veilor-os Strategy — Hybrid kickstart bootstrap + bootc OCI`

			`Decision date: 2026-05-05`
			`Locked at: v0.5.31 → v0.7 spike → v1.0`

			`## TL;DR`

			`- Keep the Anaconda-driven kickstart ISO as the bootstrap installer`
			`(LUKS UX is mature, single passphrase prompt, custom partitioning`
			`works).`
			`- On first boot, the installed system is automatically rebased to a`
			`veilor-os OCI image built via BlueBuild on top of secureblue's`
			`securecore-kinoite-hardened-userns`.
			- All future updates flow through `bootc upgrade` — atomic A/B,
			`instant rollback, cosign-signed.`
			`- The kickstart-driven mutable-root path is deprecated at v1.0; kept`
			`alive as fallback through v0.7.`

			`## Why hybrid, not pure pivot`

			`Pure pivot to bootc-from-scratch (Agent 3's spike plan) was **1 week`
			`to first ISO. Pure pivot to layering on secureblue is 2 days to`
			`first ISO** because the hardening work is already done. But both`
			`require throwing away the partitioning UX we already have working in`
			`Anaconda.`

			`Hybrid:`
			`- Day-zero install: Anaconda kickstart + custom partitioning +`
			`LUKS prompt (what we have today). User experience = unchanged.`
			- First boot, post-LUKS-unlock: `bootc rebase
			ghcr.io/veilor/veilor-os:43` runs once; pulls the OCI image; next
			`reboot lands in the veilor OCI tree.`
			- Day-2: `bootc upgrade` cadence for everything from then on.

			`We keep what works, pivot the part that doesn't.`

			`## Why secureblue underneath`

			`\| Question \| Answer \|`
			`\|---\|---\|`
			`\| Maintainers \| secureblue: 30 contributors, 56 commits/5wks. veilor-os: solo. \|`
			`\| Hardening surface \| secureblue ships sysctl + kargs + SELinux + USBGuard + hardened-malloc + DoT — far more than we'd build alone. \|`
			\| Build pipeline \| BlueBuild → cosign-signed OCI in GH Actions (`build-all.yml`, `trivy.yml`). \|
			`\| Update model \| bootc upgrade with A/B + instant rollback + signed image chain. \|`
			\| Variants \| `kinoite-hardened-userns` is the KDE+Wayland+SELinux variant we'd want. \|
			`\| License \| Apache-2.0 (compatible with our MIT). \|`

			`What we override in our recipe:`

			`- Browser: Trivalent (their fork) → Brave / Mullvad-Browser.`
			`Single-maintainer browser fork is unacceptable risk for daily-driver`
			`audience.`
			- `run0` instead of sudo: revert. Breaks too many workflows.
			`- Xwayland disabled: revert. Some apps still need it.`
			`- veilor branding: theme, KDE color scheme, Plymouth, SDDM, font,`
			os-release. All `overlay/*` ports verbatim from current repo.

			`## Strategic credibility win`

			`secureblue does NOT publish a threat model. Athena OS does, and it's`
			`their main differentiator. We've already drafted`
			`docs/THREAT-MODEL.md` (Agent 5 of 2026-05-05 wave). Publishing that
			`before the v0.7 launch positions veilor-os ahead of secureblue and`
			`Athena on the one axis that matters most for a security-branded`
			`distro: honest, scoped, public threat model.`

			`## Roadmap implications`

			`\| Version \| Status \| Path \|`
			`\|---\|---\|---\|`
			`\| v0.5.31 \| shipped \| Anaconda kickstart, mutable root \|`
			`\| v0.5.32 \| active — top blockers from 9-agent wave \| Anaconda kickstart \|`
			`\| v0.5.x → v0.6 \| maintenance \| Anaconda kickstart, ergonomics + UX polish \|`
			`\| v0.7 spike \| 2-day BlueBuild prototype \| First veilor OCI image extending secureblue-kinoite-hardened \|`
			`\| v0.7 ship \| ISO bootstraps install, first boot rebases to OCI \| Hybrid path live \|`
			\| v1.0 \| bootc-only, kickstart deprecated \| `bootc upgrade` for all updates \|

			The `bootc-image-builder` spike plan (Agent 3) is superseded by
			`this hybrid: don't build a Containerfile from scratch on`
			`fedora-bootc:43`. Instead, write a BlueBuild recipe on
			`securecore-kinoite-hardened-userns`. Spike compresses 1 week → 2 days.

			`## Next concrete steps`

			`### v0.5.32 — current (no strategy change)`

			Ship the 7 blockers from `docs/research/2026-05-05-agent-wave/`:
			`suspend/resume wifi fix, firstboot WantedBy, USBGuard id-rules,`
			`firewalld tailscale0 zone, KMS modeset, /etc/skel branding, virtio-9p`
			`log capture.`

			`### v0.7-spike (2 days)`

			1. New repo dir: `bluebuild/recipe.yml`.
			2. `from`: `ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`.
			`3. Override modules:`
			- `type: files` — stamp our `overlay/*` tree (branding, themes,
			`veilor scripts, sddm theme, plymouth theme).`
			- `type: rpm-ostree` — install Brave + restore Xwayland.
			- `type: rpm-ostree` — remove Trivalent.
			- `type: brand` — PRETTY_NAME, GRUB_DISTRIBUTOR, distributor URL.
			4. `.github/workflows/build-bluebuild.yml` — pull BlueBuild action,
			`build + cosign sign + push to GHCR.`
			5. `kickstart/install.ks` — add a one-shot `veilor-firstboot-rebase`
			service that runs `rpm-ostree rebase ghcr.io/veilor/veilor-os:43`
			`then disables itself. User reboots once and is on the OCI image.`

			`### v1.0 — bootc-only`

			- Drop `kickstart/veilor-os.ks`, drop `livecd-creator` workflow.
			- Keep `installer-iso.toml` for the bootstrap ISO (built via
			`bootc-image-builder); the OCI image is the source of truth.`
			- `veilor-update` becomes thin `bootc upgrade --apply` wrapper.

			`## Open questions`

			`- Does secureblue accept upstream contributions? If yes, send our`
			`USBGuard id-based-rules fix and our threat model framework.`
			`- Brave vs Mullvad-Browser: Brave has telemetry concerns out of box;`
			`Mullvad-Browser is Tor-Browser-derived but not designed for`
			`daily-driver. Test both in spike.`
			`- Recovery flow when bootc rebase fails on first boot — need fallback`
			`to keep the kickstart-installed system bootable. Likely already`
			`handled by bootc's A/B; verify in spike.`
			`- Fedora 44 transition: secureblue tracks Fedora releases (current`
			`v4.9` on F44). If we follow, we get F44 for free at the same time
			`upstream does.`

			`## See also`

			- `docs/THREAT-MODEL.md` — drafted, needs publish for v0.7
			- `docs/ROADMAP.md` — to be updated to reflect this strategy
			- `docs/research/2026-05-05-agent-wave/03-bootc-spike-plan.md` —
			`superseded by this hybrid (kept as reference for the`
			`Containerfile-from-scratch alternative)`
			`- secureblue: <https://github.com/secureblue/secureblue>`
			`- BlueBuild: <https://blue-build.org>`