veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

docs(README): tone down secureblue credit (no code lifted yet)
Some checks failed
Lint / Kickstart syntax (push) Failing after 2s
Details
Lint / Shell scripts (push) Failing after 6s
Details
Lint / No personal/onyx leaks (push) Failing after 3s
Details

Browse source 
We layer on their OCI image as v0.7 base; we don't redistribute their
source. Drop the AGPLv3-attribution prose — that becomes relevant only
if/when we ship a verbatim chunk of their config/policy in our repo.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
claude-veilor-bot 2026-05-06 15:38:35 +01:00
parent 3391bb5f93
commit 6d77235452
1 changed files with 14 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -142,31 +142,22 @@ veilor-os is **not** trying to compete with Whonix-style anonymity or
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
clean, locked down, with no manual post-install hardening required.
### Credit & relationship to secureblue
### Relationship to secureblue
[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an
upstream hardened atomic Fedora build that already solves a long list
of problems we'd otherwise reinvent: Trivalent (hardened Chromium),
custom SELinux policy, sysctl hardening, `module.sig_enforce=1`,
USBGuard defaults, libpam-pwquality config, kernel cmdline hardening,
and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7
veilor-os spike layers on top of secureblue's
`securecore-kinoite-hardened-userns` image rather than re-deriving the
same hardening from scratch.
[secureblue](https://github.com/secureblue/secureblue) is an upstream
hardened atomic Fedora project we benchmark against and plan to **build
on top of** at v0.7. The v0.7 BlueBuild spike uses their
`securecore-kinoite-hardened-userns` OCI image as its base — we don't
ship their source code in this repo, we layer veilor branding,
theming, the gum installer, and the kickstart bootstrap on top of
their already-signed image.
Where veilor-os differs is the path, not the destination: a
kickstart-installed flat install for v0.5.x (operator-friendly LUKS
flow, single-prompt install), a hybrid kickstart-bootstrap +
secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at
v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and
the Forgejo-hosted CI/release plumbing are veilor's own work.
If a chunk of secureblue code, config, or policy ends up in veilor-os
verbatim or near-verbatim, the file carries an upstream-attribution
header and the LICENSE file in this repo records the AGPLv3 obligation
on those files. Anything we ship under MIT is original to this repo.
Thanks to the secureblue maintainers — without their public work the
v0.7 path would be a year of duplicate effort.
Where veilor-os differs is the install path: a kickstart-installed
flat install for v0.5.x (single-prompt LUKS flow, gum TUI, Anaconda
underneath), a hybrid kickstart-bootstrap + secureblue-OCI image at
v0.7, and a fully OCI / `bootc upgrade` path at v1.0. Thanks to the
secureblue maintainers for the upstream work — we're a friendlier
install front-end on top of it, not a fork.
---