bluebuild: switch base to ghcr.io/secureblue/kinoite-main-hardened

The 'securecore-kinoite-hardened-userns' image we'd been targeting does not exist in the secureblue org's package list. Their KDE Plasma (Kinoite) hardened variant is published as 'kinoite-main-hardened' (or 'kinoite-nvidia-hardened' for NV boxes). Switch the recipe + all doc references. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 17:15:54 +01:00 · 2026-05-06 17:15:54 +01:00 · bcd6c5d87b
commit bcd6c5d87b
parent f48e68c3c0
8 changed files with 13 additions and 13 deletions
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@ -111,7 +111,7 @@ jobs:
          else
            echo "[WARN] GHCR_PULL_TOKEN secret empty; trying anonymous pull"
          fi
-          podman pull ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest
+          podman pull ghcr.io/secureblue/kinoite-main-hardened:latest

      - name: Build OCI image with BlueBuild CLI container
        id: bluebuild
--- a/README.md
+++ b/README.md
@ -167,7 +167,7 @@ clean, locked down, with no manual post-install hardening required.
 [secureblue](https://github.com/secureblue/secureblue) is an upstream
 hardened atomic Fedora project we benchmark against and plan to **build
 on top of** at v0.7. The v0.7 BlueBuild spike uses their
-`securecore-kinoite-hardened-userns` OCI image as its base — we don't
+`kinoite-main-hardened` OCI image as its base — we don't
 ship their source code in this repo, we layer veilor branding,
 theming, the gum installer, and the kickstart bootstrap on top of
 their already-signed image.
--- a/bluebuild/README.md
+++ b/bluebuild/README.md
@ -18,7 +18,7 @@ bluebuild/
 ```

 The recipe extends
-`ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`. We
+`ghcr.io/secureblue/kinoite-main-hardened:latest`. We
 inherit secureblue's hardening (sysctl + kargs + custom SELinux
 policy + USBGuard + hardened-malloc + Unbound DoT + chronyd NTS +
 Trivalent browser + cosign-signed image chain). On top, we layer:
--- a/bluebuild/recipe.yml
+++ b/bluebuild/recipe.yml
@ -18,7 +18,7 @@ description: Hardened security-branded Fedora KDE on top of secureblue.
 # Base image: secureblue's hardened Kinoite variant with userns sandboxing.
 # That brings in: sysctl + kargs + custom SELinux policy + USBGuard +
 # hardened-malloc + Unbound DoT + chronyd NTS + Trivalent browser.
-base-image: ghcr.io/secureblue/securecore-kinoite-hardened-userns
+base-image: ghcr.io/secureblue/kinoite-main-hardened
 image-version: latest

 modules:
--- a/docs/INSTALL-V07.md
+++ b/docs/INSTALL-V07.md
@ -126,7 +126,7 @@ bootc status
 The image is built by `.github/workflows/build-bluebuild.yml` on the
 self-hosted Forgejo runner (label `nullstone`). Build inputs:

- Base: `ghcr.io/secureblue/securecore-kinoite-hardened-userns`
+- Base: `ghcr.io/secureblue/kinoite-main-hardened`
 - Recipe: [`bluebuild/recipe.yml`](../bluebuild/recipe.yml)
 - Veilor overlay: stamped via BlueBuild `type: files` modules
 - Layered RPMs: `sudo`, `xorg-x11-server-Xwayland`, `mullvad-browser`,
--- a/docs/PROOF-OF-WORK.md
+++ b/docs/PROOF-OF-WORK.md
@ -30,7 +30,7 @@
 | Project | Role in veilor-os |
 |---|---|
 | Fedora 43 KDE | Base OS for v0.5.x kickstart-installed flat builds |
-| [secureblue](https://github.com/secureblue/secureblue) | Upstream hardened atomic Fedora; v0.7 BlueBuild spike layers our overlay on top of `securecore-kinoite-hardened-userns` |
+| [secureblue](https://github.com/secureblue/secureblue) | Upstream hardened atomic Fedora; v0.7 BlueBuild spike layers our overlay on top of `kinoite-main-hardened` |
 | Kicksecure / Whonix | Reference for AppArmor + apt-transport-tor model (we don't ship Tor; we did read their docs) |
 | Bluefin / Bazzite (uBlue) | Reference for BlueBuild recipe shape and OCI publishing pattern |
 | Tails | Reference for live-only install model — explicitly **not** veilor's path |
@ -194,7 +194,7 @@ The repo carries more than just an ISO recipe:
 | `scripts/selinux/veilor-systemd.te` | Custom SELinux module (targeted policy gap fixes) |
 | `scripts/30-apply-v03-theme.sh` | Plymouth + SDDM + Konsole + wallpaper apply |
 | `scripts/40-apparmor.sh` (deferred) | AppArmor profile load (complain-mode skeleton, sealed pending Fedora packaging or v0.7 secureblue) |
-| `bluebuild/recipe.yml` | v0.7 OCI recipe (base = secureblue securecore-kinoite-hardened-userns) |
+| `bluebuild/recipe.yml` | v0.7 OCI recipe (base = secureblue kinoite-main-hardened) |
 | `kickstart/install-ostreecontainer.ks` | v0.7 install ks: 10 lines, just `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry` |
 | `assets/installer/{banner.txt,colors.gum}` | Pure-block VEILOR OS wordmark + branded gum colour palette |
 | `assets/branding/` | Logo, wallpapers, plymouth theme assets |
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@ -252,7 +252,7 @@ ergonomic work and becomes the next ship target.

 Scope:
 - BlueBuild recipe (`bluebuild/recipe.yml`) layering on
-  `ghcr.io/secureblue/securecore-kinoite-hardened-userns`
+  `ghcr.io/secureblue/kinoite-main-hardened`
 - `kickstart/install-ostreecontainer.ks` — 10-line kickstart that calls
  `ostreecontainer --url=ghcr.io/veilor-org/veilor-os:43 --transport=registry`
  and lets Anaconda's LUKS UX drive the install
@ -292,7 +292,7 @@ spike on `quay.io/fedora/fedora-bootc:43`. Research on 2026-05-05
 `docs/research/2026-05-05-agent-wave/`), then a parent-operator
 refinement same day, locked the path: **layer veilor's branding +
 threat model + UX on top of secureblue's already-shipping
-`securecore-kinoite-hardened-userns` OCI image** via a BlueBuild
+`kinoite-main-hardened` OCI image** via a BlueBuild
 recipe, and install it directly during the Anaconda pass via the
 `ostreecontainer` kickstart directive (no first-boot rebase).

--- a/docs/STRATEGY.md
+++ b/docs/STRATEGY.md
@ -12,7 +12,7 @@ Locked at: **v0.5.31 → v0.7 spike → v1.0**
  works).
 - Anaconda's `ostreecontainer` directive populates the root filesystem
  directly from a **veilor-os OCI image** (built via BlueBuild on top
-  of secureblue's `securecore-kinoite-hardened-userns`) **during the
+  of secureblue's `kinoite-main-hardened`) **during the
  install pass — no first-boot rebase, no mutable→atomic transition**.
 - All future updates flow through `bootc upgrade` — atomic A/B,
  instant rollback, cosign-signed.
@ -236,7 +236,7 @@ distro: **honest, scoped, public threat model**.
 The Containerfile-from-scratch spike plan (Agent 3 of 2026-05-05
 wave) is **superseded** by this hybrid: don't build a Containerfile
 from scratch on `fedora-bootc:43`. Instead, write a BlueBuild recipe
-on `securecore-kinoite-hardened-userns`. With `ostreecontainer`
+on `kinoite-main-hardened`. With `ostreecontainer`
 swap, spike compresses 1 week → 1 day.

 ## Next concrete steps
@ -254,7 +254,7 @@ in the v0.7 spike branch only.
 ### v0.7-spike (1 day, separate branch)

 1. New repo dir: `bluebuild/recipe.yml`.
-2. `from`: `ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest`.
+2. `from`: `ghcr.io/secureblue/kinoite-main-hardened:latest`.
 3. Override modules:
   - `type: files` — stamp our `overlay/*` tree (branding, themes,
     veilor scripts, sddm theme, plymouth theme).
@ -350,7 +350,7 @@ The hybrid strategy locked at v0.5 is now in execution.
  ROADMAP.md as historical reference.
 - **v0.7 BlueBuild OCI is the active mainline.** The
  `v0.7-bluebuild-spike` branch carries the BlueBuild recipe layered
-  on `ghcr.io/secureblue/securecore-kinoite-hardened-userns`, the
+  on `ghcr.io/secureblue/kinoite-main-hardened`, the
  `ostreecontainer` kickstart bootstrap, and the new `bootc upgrade`-
  driven update channel.
 - **v0.6 ergonomic CLIs ported, not rewritten.** `veilor-update`