From a7e7d6e10c833c2dacb99029a0d2a99c6963af18 Mon Sep 17 00:00:00 2001 From: s8n Date: Sat, 2 May 2026 03:42:39 +0100 Subject: [PATCH] docs: CHANGELOG v0.2.0-v0.2.5, README rewrite, ROADMAP, release notes update (#5) Co-authored-by: veilor-org --- CHANGELOG.md | 255 ++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 165 +++++++++++++++++++++++++------ docs/ROADMAP.md | 173 ++++++++++++++++++++++++++++++++ 3 files changed, 562 insertions(+), 31 deletions(-) create mode 100644 CHANGELOG.md create mode 100644 docs/ROADMAP.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000..b0572fc --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,255 @@ +# Changelog + +All notable changes to veilor-os are documented here. + +The format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), +and this project loosely follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html) +during the pre-1.0 phase. + +Each release section records the **bug found** and the **fix applied** so +future maintainers can see why a change exists, not just what it changes. + +## [Unreleased] + +### Planned + +- v0.3 polish — Plymouth black theme, SDDM theme, Konsole profile, + wallpaper SVG. Re-enable `init_on_alloc=1 init_on_free=1` post-install + via `veilor-firstboot` so live boot stays fast but installed system + keeps the memory hygiene. +- USBGuard auto-snapshot on first boot. +- veilor-firstboot UX improvements (cleaner banner, better error paths). + +--- + +## [0.2.5] — 2026-05-01 + +**Commit:** `8515bdb` + +### Fixed + +- **Live boot took 5+ minutes on KVM.** Dracut sat at the parse-livenet + stage for what looked like a hang. Root cause: `init_on_alloc=1` + and `init_on_free=1` zero every memory page on allocation and free. + In a virtualised guest with paravirtual memory, this multiplied the + early-boot cost by ~5x. Removed both flags from the *live* kernel + cmdline. + +### Notes + +- The two memory-hygiene flags will be re-added on the **installed** + system via `veilor-firstboot` in v0.3 — the cost on bare metal is + negligible, the live-ISO penalty is the only place it bites. +- Live cmdline retained: `lockdown=integrity slab_nomerge + randomize_kstack_offset=on vsyscall=none`. + +--- + +## [0.2.4] — 2026-05-01 + +**Commit:** `a23ce63` + +### Fixed + +- **VM booted but stalled at dracut "parse-livenet" looking for a label + that never matched.** Root cause: an upstream bug in + `livecd-tools` — `imgcreate/live.py::__get_efi_image_stanza()` writes + the EFI grub stanza as `root=live:LABEL=...` for dracut. Dracut on + live ISOs expects `live:CDLABEL=...` for ISO9660 volume labels; + `LABEL=` matches partition labels which a live ISO doesn't have. +- Patched `live.py` in-place inside the CI build container before + invoking `livecd-creator`. With the patched stanza, the VM booted + cleanly to the SDDM login prompt. + +### Changed + +- CI workflow now `sed`s the patch into the installed `live.py` and + asserts the patch landed before continuing the build. + +### Notes + +- Bug also affects `livemedia-creator --make-iso --no-virt` and any + other consumer of `imgcreate.LiveImageCreator`. Worth filing + upstream once we have a clean repro recipe. + +--- + +## [0.2.3] — 2026-05-01 + +**Commit:** `ef54a24` + +### Added + +- Manual `useradd admin` invocation in chroot `%post`. `livecd-creator` + does not run an installer phase, so the kickstart `user` directive + is silently ignored. Without this, the booted live system has no + admin account at all, and SDDM falls back to "no users" — login + impossible. + +### Fixed + +- **`/etc/os-release` was still pointing at stock Fedora.** Even with + the overlay tree successfully copied, `kde-theme-apply.sh` was + resolving `/etc/os-release.d/veilor` from the wrong path (the build + host's repo, not the overlay's installed location). +- Rewired the symlink chain cleanly: `/etc/os-release → + ../usr/lib/os-release`, with the override file written to + `/usr/lib/os-release` directly during `%post`. +- Branding now reflects veilor-os in `/etc/os-release`, + `hostnamectl`, and the SDDM session menu. + +### Notes + +- The `user --name=admin` directive stays in the kickstart for + documentation and for any future `livemedia-creator`-based + installer ISO that *does* honour it. + +--- + +## [0.2.2] — 2026-05-01 + +**Commit:** `3408841` + +### Fixed + +- **Overlay was partially copied — boot worked but veilor-power, KDE + theme, custom scripts were all missing.** Found via offline debugfs + inspection of the v0.2.1 rootfs: tuned profiles, sshd hardening, + sudoers entries, and systemd units were present, but + `/usr/share/veilor-os/{assets,scripts}` was empty. +- Root cause: `%post --nochroot` ran with `set -eu`. When the first + `cp` of a non-essential overlay file returned non-zero, the script + aborted, leaving the assets/scripts copy step un-executed. None of + the chroot `%post` scripts could then find what they needed and they + silently no-op'd. + +### Changed + +- `%post --nochroot` now uses `set +e` around `cp`/`mkdir` so a + partial-permissions error on one tree doesn't kill the whole copy. +- Added `/var/log/veilor-nochroot.log` — every action in + `%post --nochroot` now traces with timestamps. Future debugging is + one `journalctl --boot` away. + +### Notes + +- The looser error handling is intentional but bounded — only the + overlay copy uses `set +e`. Hardening scripts that follow run with + strict mode. + +--- + +## [0.2.1] — 2026-05-01 + +**Commit:** `9c6136f` + +### Fixed + +- **ISO booted, but it was effectively bare Fedora KDE.** No + hardening, no theme, no `veilor-power`, no `/etc/os-release` + override. Confirmed by mounting v0.2.0 with debugfs: + `/etc/os-release` symlinked to `../usr/lib/os-release` (Fedora's + default), no `/usr/share/veilor-os`, no overlay files anywhere. +- Root cause: `%post --nochroot` hardcoded `/mnt/sysimage` as the + destination. `/mnt/sysimage` is the **livemedia-creator** install + root. We had switched the build pipeline to **livecd-creator**, + which exposes the destination as `$INSTALL_ROOT` — a different path + inside its tmpfs sandbox. +- Switched the copy target to `$INSTALL_ROOT`. + +### Notes + +- Partial overlay landed in v0.2.1 (tuned, sshd, sddm.conf) — but + `/usr/share/veilor-os/{assets,scripts}` was still missing because + `set -eu` aborted partway through the cp tree. That fix is in v0.2.2. +- Lesson learned: tooling-specific environment variables matter. + `$INSTALL_ROOT` is the portable answer; `/mnt/sysimage` is a + livemedia-creator-only convention. + +--- + +## [0.2.0] — 2026-04-30 + +**Commit:** `7c4a94d` (tagged release) + +### Added + +- First green ISO. Reproducible build pipeline lands. +- GitHub Actions workflow `build-iso.yml` produces a UEFI+BIOS-bootable + live ISO from `kickstart/veilor-os.ks`. +- CI: kickstart syntax linting (`ksvalidator`) gate. +- Kickstart based on Fedora 43, KDE Plasma minimal, hardening + packages selected (`fail2ban`, `usbguard`, `tuned`, `audit`, + `firewalld`). +- Overlay tree authored: tuned profiles, sshd hardening, sysctl + drop-in, sudoers, udev rules, KDE theme assets, Fira Code font. +- 3-mode power profiles: `veilor-power save | mid | perf` with + AC/battery udev auto-switching. + +### Notes — known limitations of v0.2.0 + +- **The overlay never actually applied to the installed system.** + The `%post --nochroot` copy step targeted `/mnt/sysimage` + (livemedia-creator's install root) but the build pipeline had moved + to livecd-creator, which uses `$INSTALL_ROOT`. Result: the ISO + *boots* and presents a working KDE Plasma desktop, but it is in + practice **stock Fedora 43 KDE** with no veilor-os hardening, + branding, theme, or power scripts applied. +- v0.2.0 is best understood as a **build-pipeline milestone** — the + ISO format, EFI/BIOS bootability, partitioning, and squashfs build + all work end-to-end. The userspace customisation layer was wired + but not delivering. Treat v0.2.0 as proof-of-build, not as a + feature-complete release. +- See **v0.2.5** for the first feature-complete ISO that actually + ships veilor-os hardening and branding into the running system. + +### Build pipeline path to green + +For posterity, the issues resolved between v0.1 (scaffold) and v0.2.0 +(first green ISO): + +- pcre2 / selinux-policy version skew on stock Fedora 43 base — + worked around with a pinned `fix-repo` for the local build only; + CI uses `dnf upgrade --refresh` to sidestep entirely. +- KDE Plasma hard-deps (cups, geoclue2, ModemManager, PackageKit) — + kept at the package level, masked at the daemon level. +- `%post --nochroot` source path — multi-path detection added so the + overlay can be sourced from `/work` (CI) or `/run/install/repo` + (virt) or kickstart-relative (no-virt). +- `livemedia-creator --make-iso --no-virt` produced a squashfs but + no EFI/BOOT image. Switched to `livecd-creator` (`livecd-tools`) + which is purpose-built for live ISOs and handles EFI grafting. +- Tmpdir on `/tmp` exhausted the GitHub Actions tmpfs cap (16GB + vs ~30GB working set). Moved to `/var/lmc` on the runner's host + ext4. + +--- + +## [0.1.0] — 2026-04-29 + +**Commit:** `1822005` + +### Added + +- Initial repo scaffold: `kickstart/`, `build/`, `overlay/`, `scripts/`, + `assets/`, `docs/`, `test/`. +- Kickstart skeleton (Fedora 43 KDE base, single-prompt LUKS install, + hardened bootloader cmdline, locked root, blank-password admin with + `chage -d 0` to force first-boot reset). +- Hardening scripts ported and rebranded from operator's reference + system: base hardening, kernel hardening, custom SELinux policy + module `veilor-systemd`. +- KDE theme: BreezeBlackPure base + grey accent (`#686B6F`). +- Fira Code chosen as system font (Fedora `fira-code-fonts`, + SIL OFL 1.1). +- Test harness: VM runner (`test/run-vm.sh`) with QEMU + OVMF for + fast iteration, with `SECBOOT=1` and `FRESH=1` modes. +- Documentation: `BUILD.md`, `INSTALL.md`, `HARDENING.md`, + `POWER.md`, `boot-checklist.md`. + +### Notes + +- v0.1 was scaffold-only — no green ISO yet. Build pipeline iterated + through ~22 distinct toolchain issues before producing v0.2.0. +- All `onyx` references stripped from shipped artifacts; comments + refer to "reference system" only. diff --git a/README.md b/README.md index 8af6fa0..32d747a 100644 --- a/README.md +++ b/README.md @@ -1,49 +1,152 @@ # veilor-os -> Hardened minimal Fedora KDE remix. Black-on-black. Locked down by default. +> **Hardened minimal Fedora KDE spin. Black-on-black. Locked down by default.** -veilor-os is a Fedora 43 KDE spin built for operators who want a clean, fast, -opinionated desktop with serious hardening already in place. No prompts at -install beyond the LUKS passphrase. Boot, set admin password, work. +[![Build veilor-os ISO](https://github.com/veilor-org/veilor-os/actions/workflows/build-iso.yml/badge.svg)](https://github.com/veilor-org/veilor-os/actions/workflows/build-iso.yml) +[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE) +[![Status: pre-release](https://img.shields.io/badge/status-pre--release_v0.2.5-orange)](CHANGELOG.md) -## Highlights +veilor-os is a Fedora 43 KDE Plasma remix for operators who want a clean, +fast, opinionated desktop with serious hardening already wired in. Boot the +ISO, set an admin password, work. No installer wizard. No initial-setup +screen. No telemetry. No "would you like to enable X" prompts. -- **Single-prompt install** — only LUKS passphrase. No account wizard, no - initial-setup screen. `admin` account is created automatically; password - is set on first boot. -- **Hardened by default** — SELinux enforcing, USBGuard, fail2ban, firewalld - drop zone, kernel sysctl lockdown, NTS-authenticated NTP, DNS-over-TLS. -- **3-mode power management** — `veilor-power save | mid | perf`, with - AC/battery auto-switching via udev. Backed by tuned profiles. -- **Fira Code system font** — programming ligatures, monospace - consistency across UI + terminal. (DuckSans planned for v0.3.) -- **Pure-black KDE color scheme** — `veilor-black` theme system-wide. -- **LUKS2 + Secure Boot** — argon2id, aes-xts, btrfs subvolumes, zram swap - (no disk swap, no cold-boot leak). -- **Reproducible build** — kickstart + podman + livemedia-creator. ISO - output is deterministic given pinned base. +--- + +## Status + +**Pre-release `v0.2.5`** — first feature-complete ISO that actually applies +the veilor-os overlay to the installed system. The build pipeline is green +on CI; the live ISO boots to KDE on KVM and bare metal. See +[CHANGELOG.md](CHANGELOG.md) for the full v0.2.0 → v0.2.5 story (it is +worth reading — five real bugs caught and documented). + +What is **done**: hardening (SELinux, sysctl, USBGuard, fail2ban, +firewalld), KDE black theme, Fira Code system font, 3-mode power +management, single-prompt LUKS install, first-boot admin password flow, +reproducible CI build, EFI+BIOS bootable live ISO. + +What is **planned** (see [docs/ROADMAP.md](docs/ROADMAP.md)): Plymouth +black theme, SDDM theme, signed ISOs (own MOK + GPG), AppArmor + nftables, +veilor-update / veilor-doctor helpers, public docs site. + +--- + +## Quick install + +```bash +# 1. Download the ISO (after public release; CI artifact for now) +sha256sum -c veilor-os-43-*.iso.sha256 + +# 2. Flash to USB. Replace /dev/sdX with your USB device — triple-check. +sudo dd if=veilor-os-43-*.iso of=/dev/sdX bs=4M status=progress conv=fsync +sync + +# 3. Boot from USB, pick "Install veilor-os" from the menu. +# 4. Set a strong LUKS passphrase — the only prompt during install. +# 5. Reboot, remove USB. +# 6. On first boot: TTY prompts for an admin password (≥14 chars, mixed case, +# digit, symbol). Once accepted, SDDM starts. Log in as `admin`. +``` + +Full install + first-boot walkthrough: [docs/INSTALL.md](docs/INSTALL.md). + +--- + +## What veilor-os ships + +| Layer | Hardening | +|-------|-----------| +| Boot | Secure Boot, `lockdown=integrity`, `slab_nomerge`, `randomize_kstack_offset=on`, `vsyscall=none`. LUKS2 (aes-xts-plain64, argon2id, mem=1GB). zram swap (no disk swap, no cold-boot leak). | +| Kernel | Locked sysctls: ptrace=2, kptr_restrict=2, dmesg_restrict=1, perf_event_paranoid=3, BPF JIT hardening, full ASLR, no SUID core dumps. | +| MAC | SELinux **enforcing**, targeted policy + custom `veilor-systemd` module. | +| Network | firewalld zone = `drop`, ssh only inbound. systemd-resolved with DNS-over-TLS (Cloudflare/Quad9 fallback), LLMNR off. NTS-authenticated chrony time. | +| SSH | password auth off, root login off, single `admin` user, X11 forwarding off, MaxAuthTries 3. | +| Auth | root **locked**, single `admin` user with sudo. pwquality minlen=14, 4 character classes. First-boot password forced via `chage -d 0`. | +| Audit | `auditd` rules covering passwd/shadow/sudoers/ssh/cron/sysctl/kernel modules and all privileged binaries. | +| IDS | `fail2ban` with sshd + pam-generic jails, journal backend, firewalld rich-rule action. | +| USB | `USBGuard` daemon, **default-block**, empty allowlist on first boot. | +| Services off | `abrt*`, `cups`, `geoclue`, `avahi-daemon`, `bluetooth`, `ModemManager`, `gssproxy`, `atd`, `pcscd`, `kdeconnectd`, `PackageKit`. | +| UX | KDE Plasma minimal, `BreezeBlackPure` colour scheme, Fira Code system font, `veilor-power save \| mid \| perf` with udev AC/battery auto-switch. | + +Full reference: [docs/HARDENING.md](docs/HARDENING.md). + +--- + +## 60-second tour — what's different from stock Fedora KDE + +- **No Anaconda Initial Setup** wizard after first boot. Single LUKS + passphrase prompt is the entire install interaction. Admin user is + pre-created; password is set once on TTY1, then SDDM starts. +- **Root is locked.** `passwd -S root` reports `L`. There is no `su -` + to root, ever. Use `sudo`. +- **No PackageKit, no Flatpak by default.** Updates happen with + `sudo dnf upgrade` on your terms, not in the background. +- **Default firewall zone is `drop`**, not `FedoraWorkstation`. The only + thing your machine answers is sshd on its assigned port. +- **USBGuard blocks every USB device by default.** First-boot procedure: + plug in everything you trust, run `usbguard generate-policy`, + done. +- **Black-on-black KDE.** Wallpaper, panel, Konsole all match. No "white + flash" anywhere in the session. +- **`veilor-power save | mid | perf`** swaps the full tuned profile, + CPU governor, EPP, battery threshold, and screen-dim policy in one + command. Wired to AC/battery udev events too — laptop drops to `save` + when unplugged automatically. + +--- + +## How veilor-os compares + +| Feature | veilor-os | Stock Fedora KDE | Kicksecure | +|---|:-:|:-:|:-:| +| SELinux enforcing OOTB | yes | yes | yes | +| AppArmor | planned (v0.5) | no | yes | +| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable | +| LUKS2 with argon2id | default | optional | default | +| Single-prompt install (LUKS only) | yes | no | no | +| Root account locked by default | yes | no | yes | +| firewalld default zone = drop | yes | no | n/a (uses nftables) | +| USBGuard default-block | yes | no | yes | +| fail2ban + auditd OOTB | yes | no | partial | +| DNS-over-TLS by default | yes | no | yes | +| NTS-authenticated NTP | yes | no | yes | +| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes | +| Telemetry / phone-home | none | minimal | none | +| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) | +| Power-profile CLI | yes (3-mode) | partial | no | +| Reproducible kickstart-built ISO | yes | yes | yes (from Debian) | +| Base distro | Fedora 43 | Fedora 43 | Debian | + +veilor-os is **not** trying to compete with Whonix-style anonymity or +Qubes-style isolation. It is a **hardened daily-driver desktop** — fast, +clean, locked down, with no manual post-install hardening required. + +--- ## Repo layout ``` -kickstart/ veilor-os.ks full kickstart definition -build/ Containerfile + build-iso.sh reproducible ISO builder +kickstart/ veilor-os.ks full kickstart definition +build/ Containerfile + build-iso.sh reproducible ISO builder overlay/ files dropped into installed root via %post scripts/ hardening, SELinux policy, theme apply, firstboot -assets/ fonts, KDE color scheme, branding, plymouth theme -docs/ HARDENING / POWER / BUILD / INSTALL -test/ boot-checklist + findings log +assets/ fonts, KDE colour scheme, branding, plymouth (planned) +docs/ BUILD / INSTALL / HARDENING / POWER / ROADMAP +test/ boot-checklist + KVM runner +.github/ CI workflows + PR template + CODEOWNERS ``` -See `docs/BUILD.md` for build instructions, `docs/INSTALL.md` for install, -`docs/HARDENING.md` for what's locked down and why. +Build instructions: [docs/BUILD.md](docs/BUILD.md). +Roadmap: [docs/ROADMAP.md](docs/ROADMAP.md). +Contributing: [CONTRIBUTING.md](CONTRIBUTING.md). +Changelog: [CHANGELOG.md](CHANGELOG.md). -## Status - -Pre-release. v0.x. Repo private until first green ISO boots clean on test -hardware. +--- ## License MIT — see [LICENSE](LICENSE). Fira Code ships from Fedora's -`fira-code-fonts` package under SIL OFL 1.1. +`fira-code-fonts` package under SIL OFL 1.1. Fedora packages remain +under their respective licences. Kickstart, overlay, scripts, and +docs in this repo are MIT. diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md new file mode 100644 index 0000000..89f0639 --- /dev/null +++ b/docs/ROADMAP.md @@ -0,0 +1,173 @@ +# Roadmap + +Versioned roadmap for veilor-os. Targets are intentionally short and +testable. No fluff. Items in earlier versions are blockers for later +ones unless explicitly noted. + +For the historical record of what landed in each release, see +[`../CHANGELOG.md`](../CHANGELOG.md). + +--- + +## v0.2 — green ISO + base hardening (DONE) + +Reproducible CI build pipeline. UEFI+BIOS bootable live ISO from a single +kickstart. Single-prompt LUKS install. First-boot admin password flow. +Full overlay applied (sysctl, sshd, sudoers, tuned profiles, KDE black +theme, Fira Code, branded `/etc/os-release`). SELinux enforcing. +firewalld drop zone. fail2ban + auditd + USBGuard active. The build +chased five real bugs (DEST hardcoded, `set -eu` killing `cp`, +os-release symlink, missing admin user, `LABEL=` vs `CDLABEL=` in +livecd-tools) before greening. + +Released `v0.2.5` on 2026-05-01. CI on every push to `main`. + +--- + +## v0.3 — UX polish (in progress) + +The visible polish layer that v0.2 deferred for build velocity. + +- **Plymouth black theme** — boot splash matching the desktop. No Fedora + drum, no white flash. `assets/plymouth/veilor/`. +- **SDDM theme** — black login background, single-user prompt with + `admin` pre-filled, no userlist. +- **Konsole profile** — black background, Fira Code, transparent panel + off (no compositor cost on resume). +- **Wallpaper SVG** — flat black with subtle veilor wordmark, 1080p + + 4K + ultrawide variants. +- **Re-enable memory hygiene on installed system.** v0.2.5 stripped + `init_on_alloc=1 init_on_free=1` from the *live* cmdline because they + 5x'd KVM boot time. Re-add post-install via `veilor-firstboot` so the + installed system gets the protection without the ISO penalty. +- **USBGuard auto-snapshot on first boot.** Currently the operator + runs `usbguard generate-policy` manually. v0.3 wires this into + `veilor-firstboot` after the password step (with a clear + "plug in trusted devices first" prompt). + +Target: this month. None of it is a kickstart change — pure overlay +work. + +--- + +## v0.4 — distribution + signing + +Get veilor-os to a state where the ISO is downloadable, verifiable, and +trusted by Secure Boot without user shenanigans. + +- **GPG-signed releases.** Tag → CI builds → CI signs ISO + sha256 with + veilor.org release key → GitHub Release artifact carries `.iso.asc`. +- **Reproducible builds.** Pin Fedora compose ID, lock package versions + via `dnf snapshot` or equivalent, document how to verify two builds + match. +- **Own MOK (Machine Owner Key) + sbsign for Secure Boot.** Currently + veilor-os relies on Fedora's signed shim chain. v0.4 ships our own + MOK, signs the kernel + initramfs at build time, optionally enrols + the MOK on first boot for users who want a cleaner trust path. +- **ISO download mirror** — static download page on veilor.org with + current + previous release, sha256, gpg signature. **Not** an RPM + mirror — veilor-os does not ship its own packages, only the spin + configuration. +- **Release process documented** — tagging, CI, signing, mirror sync + in `docs/RELEASE.md`. + +--- + +## v0.5 — hardening tier 2 + +Hardening that builds on v0.2's foundation. Each item is opt-in unless +specified — defaults stay sane for a daily driver. + +- **AppArmor profiles in addition to SELinux.** Stack-not-replace. + Targeted at the browser, the mail client, and anything that touches + attacker-controlled data. SELinux remains the primary MAC. +- **systemd-homed** — encrypted-per-user `~`, suspend-aware, key + unlocked at PAM login. Optional, opt-in via post-install helper. +- **nftables ruleset** alongside firewalld defaults. Default firewalld + policy stays drop; nftables provides advanced filtering for users + who want it. +- **Audit log shipping** — opt-in `auditd` -> remote syslog over TLS, + for users running a central log aggregator. +- **Installer kickstart split** — separate `veilor-os-install.ks` for + installer ISO (real LUKS partitioning, not the live-rootfs + simplification used in v0.2). Lets users install veilor-os as the + primary OS without going through the live boot first. +- **Audit baseline** — re-run the security audit (template in + `security/audit-template.md`) and target a lower risk score than v0.2. + +--- + +## v0.6 — ergonomics + +Smooth the operator experience so day-to-day work doesn't fight the +hardening. + +- **`veilor-update`** — wraps `dnf upgrade` with a pre-check (snapshot + available?), an auditd pause, and post-update sysctl/SELinux + validation. One command, no surprises. +- **`veilor-doctor`** — diagnostic helper. Walks the audit checklist + (`getenforce`, `mokutil --sb-state`, `firewall-cmd --get-default-zone`, + fail2ban status, USBGuard policy, sysctl drift) and reports what's + drifted from baseline. +- **Opt-in installer ISO** — flip from live-only to live + installer, + user picks at boot menu. Installer uses the v0.5 kickstart with full + LUKS + btrfs subvols + zram. +- **First-boot UX** — replace TTY password prompt with a small + Plymouth-rendered dialog. Less raw. +- **Bluetooth opt-in helper** — single command to enable + bring up + the daemon + add the user to the right group. Currently three + commands. + +--- + +## v0.7 — public flex + +Take veilor-os out of "private repo, contained audience" mode. + +- **Public docs site** — Hugo or mdBook on `veilor.org`, generated from + `docs/`. Single source of truth for INSTALL, HARDENING, BUILD, + ROADMAP, RELEASE, CONTRIBUTING. +- **Repo public** — flip GitHub visibility, announce. +- **Comparison + benchmarks** — published numbers vs stock Fedora KDE + on cold boot, idle RAM, idle network egress, suspend/resume time. +- **Threat model published** — what veilor-os defends against, what it + does not. Honest scope. +- **Press kit** — wallpapers, logo, screenshots, feature one-liner. + +--- + +## v1.0 — production + +The line where veilor-os is recommended for a non-author user as a +daily driver. + +- **Multi-arch.** x86_64 today; v1.0 ships aarch64 ISO too (laptops + on ARM are real now). Build matrix in CI. +- **LTS commitment** — major versions tied to Fedora's release cadence, + patch releases for security only, documented EOL per major. +- **Recovery ISO** — minimal rescue image with veilor tools (LUKS + unlock, btrfs scrub, sysctl reset, fail2ban unban) for "I cannot log + in to my system" days. +- **TPM2 integration** — sealed LUKS unlock against TPM2 PCRs (opt-in, + default stays password). Ships as helper script, not silent default. +- **Signed update channel** — beyond GPG-signed ISOs, a signed metadata + repo so `veilor-doctor` can detect available updates without trusting + Fedora's mirrorlists alone. + +--- + +## Stretch goals — not on the v0.x → v1.0 critical path + +These are spin variants that share veilor-os DNA but need their own +kickstart or build tool. They live on a separate track and do not +block v1.0. + +- **`veilor-server`** — no KDE, no GUI, hardened headless Fedora for + homelab / VPS. Same overlay, different package set. +- **`veilor-kiosk`** — single-app Plasma session, locked-down user, + read-only root. For dedicated-purpose machines. +- **`veilor-atomic`** — rpm-ostree / bootc-image-builder rebase. + Immutable root, transactional updates, atomic rollback. Different + build tool entirely (likely `bootc-image-builder`); all veilor + hardening would translate to a `Containerfile`. Schedule for after + v0.5+ once the standard spin is stable.