veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1

docs(README): add secureblue column + upstream credit section
Some checks failed
Lint / Kickstart syntax (push) Failing after 2s
Details
Lint / Shell scripts (push) Failing after 6s
Details
Lint / No personal/onyx leaks (push) Failing after 3s
Details

Browse source 
secureblue (AGPLv3) is the upstream hardened atomic Fedora that the
v0.7 BlueBuild spike layers on top of. Comparison table now includes
secureblue alongside Kicksecure + stock Fedora KDE. New "Credit &
relationship to secureblue" section spells out where their work
already solves problems we don't need to reinvent (Trivalent,
SELinux policy, kernel cmdline, signed OCI), how veilor-os differs
(kickstart install path + branding + Forgejo CI), and the AGPLv3
attribution rule for any code we lift verbatim.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot 2026-05-06 15:32:22 +01:00
parent a215df5952
commit 3391bb5f93
1 changed files with 47 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
README.md
View file

@ -116,30 +116,58 @@ Full reference: [docs/HARDENING.md](docs/HARDENING.md).
## How veilor-os compares
| Feature | veilor-os | Stock Fedora KDE | Kicksecure |
|---|:-:|:-:|:-:|
| SELinux enforcing OOTB | yes | yes | yes |
| AppArmor | planned (v0.5) | no | yes |
| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable |
| LUKS2 with argon2id | default | optional | default |
| Single-prompt install (LUKS only) | yes | no | no |
| Root account locked by default | yes | no | yes |
| firewalld default zone = drop | yes | no | n/a (uses nftables) |
| USBGuard default-block | yes | no | yes |
| fail2ban + auditd OOTB | yes | no | partial |
| DNS-over-TLS by default | yes | no | yes |
| NTS-authenticated NTP | yes | no | yes |
| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes |
| Telemetry / phone-home | none | minimal | none |
| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) |
| Power-profile CLI | yes (3-mode) | partial | no |
| Reproducible kickstart-built ISO | yes | yes | yes (from Debian) |
| Base distro | Fedora 43 | Fedora 43 | Debian |
| Feature | veilor-os | Stock Fedora KDE | Kicksecure | secureblue |
|---|:-:|:-:|:-:|:-:|
| SELinux enforcing OOTB | yes | yes | yes | yes (custom policy) |
| AppArmor | deferred (post-v0.6 / v0.7 LSM stack) | no | yes | no |
| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable | yes (Fedora keys) |
| LUKS2 with argon2id | default | optional | default | default (Anaconda) |
| Single-prompt install (LUKS only) | yes | no | no | rebase via Anaconda |
| Root account locked by default | yes | no | yes | yes |
| firewalld default zone = drop | yes | no | n/a (nftables) | yes |
| USBGuard default-block | yes | no | yes | yes |
| fail2ban + auditd OOTB | yes | no | partial | partial (auditd) |
| DNS-over-TLS by default | yes | no | yes | yes |
| NTS-authenticated NTP | yes | no | yes | yes |
| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes | yes |
| Telemetry / phone-home | none | minimal | none | none |
| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) | upstream Kinoite |
| Power-profile CLI | yes (3-mode) | partial | no | no |
| Hardened browser (Trivalent / Mullvad) | yes (v0.6+) | no | no | yes (Trivalent shipped) |
| Atomic OCI image + signed base | v0.7 spike (BlueBuild) | no | no | yes (`bootc`) |
| Userns-remap default + module sig enforce | yes | no | partial | yes |
| Base distro | Fedora 43 (KDE) | Fedora 43 | Debian | Fedora atomic (Kinoite/Silverblue) |
veilor-os is **not** trying to compete with Whonix-style anonymity or
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
clean, locked down, with no manual post-install hardening required.
### Credit & relationship to secureblue
[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an
upstream hardened atomic Fedora build that already solves a long list
of problems we'd otherwise reinvent: Trivalent (hardened Chromium),
custom SELinux policy, sysctl hardening, `module.sig_enforce=1`,
USBGuard defaults, libpam-pwquality config, kernel cmdline hardening,
and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7
veilor-os spike layers on top of secureblue's
`securecore-kinoite-hardened-userns` image rather than re-deriving the
same hardening from scratch.
Where veilor-os differs is the path, not the destination: a
kickstart-installed flat install for v0.5.x (operator-friendly LUKS
flow, single-prompt install), a hybrid kickstart-bootstrap +
secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at
v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and
the Forgejo-hosted CI/release plumbing are veilor's own work.
If a chunk of secureblue code, config, or policy ends up in veilor-os
verbatim or near-verbatim, the file carries an upstream-attribution
header and the LICENSE file in this repo records the AGPLv3 obligation
on those files. Anything we ship under MIT is original to this repo.
Thanks to the secureblue maintainers — without their public work the
v0.7 path would be a year of duplicate effort.
---
## Repo layout