docs(README): add secureblue column + upstream credit section
secureblue (AGPLv3) is the upstream hardened atomic Fedora that the v0.7 BlueBuild spike layers on top of. Comparison table now includes secureblue alongside Kicksecure + stock Fedora KDE. New "Credit & relationship to secureblue" section spells out where their work already solves problems we don't need to reinvent (Trivalent, SELinux policy, kernel cmdline, signed OCI), how veilor-os differs (kickstart install path + branding + Forgejo CI), and the AGPLv3 attribution rule for any code we lift verbatim. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot
parent
a215df5952
commit
3391bb5f93
1 changed files with 47 additions and 19 deletions
66
README.md
66
README.md
|
|
@ -116,30 +116,58 @@ Full reference: [docs/HARDENING.md](docs/HARDENING.md).
|
||||||
|
|
||||||
## How veilor-os compares
|
## How veilor-os compares
|
||||||
|
|
||||||
| Feature | veilor-os | Stock Fedora KDE | Kicksecure |
|
| Feature | veilor-os | Stock Fedora KDE | Kicksecure | secureblue |
|
||||||
|---|:-:|:-:|:-:|
|
|---|:-:|:-:|:-:|:-:|
|
||||||
| SELinux enforcing OOTB | yes | yes | yes |
|
| SELinux enforcing OOTB | yes | yes | yes | yes (custom policy) |
|
||||||
| AppArmor | planned (v0.5) | no | yes |
|
| AppArmor | deferred (post-v0.6 / v0.7 LSM stack) | no | yes | no |
|
||||||
| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable |
|
| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable | yes (Fedora keys) |
|
||||||
| LUKS2 with argon2id | default | optional | default |
|
| LUKS2 with argon2id | default | optional | default | default (Anaconda) |
|
||||||
| Single-prompt install (LUKS only) | yes | no | no |
|
| Single-prompt install (LUKS only) | yes | no | no | rebase via Anaconda |
|
||||||
| Root account locked by default | yes | no | yes |
|
| Root account locked by default | yes | no | yes | yes |
|
||||||
| firewalld default zone = drop | yes | no | n/a (uses nftables) |
|
| firewalld default zone = drop | yes | no | n/a (nftables) | yes |
|
||||||
| USBGuard default-block | yes | no | yes |
|
| USBGuard default-block | yes | no | yes | yes |
|
||||||
| fail2ban + auditd OOTB | yes | no | partial |
|
| fail2ban + auditd OOTB | yes | no | partial | partial (auditd) |
|
||||||
| DNS-over-TLS by default | yes | no | yes |
|
| DNS-over-TLS by default | yes | no | yes | yes |
|
||||||
| NTS-authenticated NTP | yes | no | yes |
|
| NTS-authenticated NTP | yes | no | yes | yes |
|
||||||
| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes |
|
| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes | yes |
|
||||||
| Telemetry / phone-home | none | minimal | none |
|
| Telemetry / phone-home | none | minimal | none | none |
|
||||||
| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) |
|
| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) | upstream Kinoite |
|
||||||
| Power-profile CLI | yes (3-mode) | partial | no |
|
| Power-profile CLI | yes (3-mode) | partial | no | no |
|
||||||
| Reproducible kickstart-built ISO | yes | yes | yes (from Debian) |
|
| Hardened browser (Trivalent / Mullvad) | yes (v0.6+) | no | no | yes (Trivalent shipped) |
|
||||||
| Base distro | Fedora 43 | Fedora 43 | Debian |
|
| Atomic OCI image + signed base | v0.7 spike (BlueBuild) | no | no | yes (`bootc`) |
|
||||||
|
| Userns-remap default + module sig enforce | yes | no | partial | yes |
|
||||||
|
| Base distro | Fedora 43 (KDE) | Fedora 43 | Debian | Fedora atomic (Kinoite/Silverblue) |
|
||||||
|
|
||||||
veilor-os is **not** trying to compete with Whonix-style anonymity or
|
veilor-os is **not** trying to compete with Whonix-style anonymity or
|
||||||
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
|
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
|
||||||
clean, locked down, with no manual post-install hardening required.
|
clean, locked down, with no manual post-install hardening required.
|
||||||
|
|
||||||
|
### Credit & relationship to secureblue
|
||||||
|
|
||||||
|
[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an
|
||||||
|
upstream hardened atomic Fedora build that already solves a long list
|
||||||
|
of problems we'd otherwise reinvent: Trivalent (hardened Chromium),
|
||||||
|
custom SELinux policy, sysctl hardening, `module.sig_enforce=1`,
|
||||||
|
USBGuard defaults, libpam-pwquality config, kernel cmdline hardening,
|
||||||
|
and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7
|
||||||
|
veilor-os spike layers on top of secureblue's
|
||||||
|
`securecore-kinoite-hardened-userns` image rather than re-deriving the
|
||||||
|
same hardening from scratch.
|
||||||
|
|
||||||
|
Where veilor-os differs is the path, not the destination: a
|
||||||
|
kickstart-installed flat install for v0.5.x (operator-friendly LUKS
|
||||||
|
flow, single-prompt install), a hybrid kickstart-bootstrap +
|
||||||
|
secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at
|
||||||
|
v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and
|
||||||
|
the Forgejo-hosted CI/release plumbing are veilor's own work.
|
||||||
|
|
||||||
|
If a chunk of secureblue code, config, or policy ends up in veilor-os
|
||||||
|
verbatim or near-verbatim, the file carries an upstream-attribution
|
||||||
|
header and the LICENSE file in this repo records the AGPLv3 obligation
|
||||||
|
on those files. Anything we ship under MIT is original to this repo.
|
||||||
|
Thanks to the secureblue maintainers — without their public work the
|
||||||
|
v0.7 path would be a year of duplicate effort.
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
## Repo layout
|
## Repo layout
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue