From 6d772354521803d9e8e26a246bfddc5e1f83fe54 Mon Sep 17 00:00:00 2001 From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com> Date: Wed, 6 May 2026 15:38:35 +0100 Subject: [PATCH] docs(README): tone down secureblue credit (no code lifted yet) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We layer on their OCI image as v0.7 base; we don't redistribute their source. Drop the AGPLv3-attribution prose — that becomes relevant only if/when we ship a verbatim chunk of their config/policy in our repo. Co-Authored-By: Claude Opus 4.7 --- README.md | 37 ++++++++++++++----------------------- 1 file changed, 14 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index b1f41f0..7e01b91 100644 --- a/README.md +++ b/README.md @@ -142,31 +142,22 @@ veilor-os is **not** trying to compete with Whonix-style anonymity or Qubes-style isolation. It is a **hardened daily-driver desktop** — fast, clean, locked down, with no manual post-install hardening required. -### Credit & relationship to secureblue +### Relationship to secureblue -[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an -upstream hardened atomic Fedora build that already solves a long list -of problems we'd otherwise reinvent: Trivalent (hardened Chromium), -custom SELinux policy, sysctl hardening, `module.sig_enforce=1`, -USBGuard defaults, libpam-pwquality config, kernel cmdline hardening, -and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7 -veilor-os spike layers on top of secureblue's -`securecore-kinoite-hardened-userns` image rather than re-deriving the -same hardening from scratch. +[secureblue](https://github.com/secureblue/secureblue) is an upstream +hardened atomic Fedora project we benchmark against and plan to **build +on top of** at v0.7. The v0.7 BlueBuild spike uses their +`securecore-kinoite-hardened-userns` OCI image as its base — we don't +ship their source code in this repo, we layer veilor branding, +theming, the gum installer, and the kickstart bootstrap on top of +their already-signed image. -Where veilor-os differs is the path, not the destination: a -kickstart-installed flat install for v0.5.x (operator-friendly LUKS -flow, single-prompt install), a hybrid kickstart-bootstrap + -secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at -v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and -the Forgejo-hosted CI/release plumbing are veilor's own work. - -If a chunk of secureblue code, config, or policy ends up in veilor-os -verbatim or near-verbatim, the file carries an upstream-attribution -header and the LICENSE file in this repo records the AGPLv3 obligation -on those files. Anything we ship under MIT is original to this repo. -Thanks to the secureblue maintainers — without their public work the -v0.7 path would be a year of duplicate effort. +Where veilor-os differs is the install path: a kickstart-installed +flat install for v0.5.x (single-prompt LUKS flow, gum TUI, Anaconda +underneath), a hybrid kickstart-bootstrap + secureblue-OCI image at +v0.7, and a fully OCI / `bootc upgrade` path at v1.0. Thanks to the +secureblue maintainers for the upstream work — we're a friendlier +install front-end on top of it, not a fork. ---