From dac69f2edc3b8a4300cfc159e605b14267311e7d Mon Sep 17 00:00:00 2001
From: claude-veilor-bot <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 15:32:22 +0100
Subject: [PATCH] docs(README): add secureblue column + upstream credit section

secureblue (AGPLv3) is the upstream hardened atomic Fedora that the
v0.7 BlueBuild spike layers on top of. Comparison table now includes
secureblue alongside Kicksecure + stock Fedora KDE. New "Credit &
relationship to secureblue" section spells out where their work
already solves problems we don't need to reinvent (Trivalent,
SELinux policy, kernel cmdline, signed OCI), how veilor-os differs
(kickstart install path + branding + Forgejo CI), and the AGPLv3
attribution rule for any code we lift verbatim.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 README.md | 66 +++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 47 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index a14f43f..b1f41f0 100644
--- a/README.md
+++ b/README.md
@@ -116,30 +116,58 @@ Full reference: [docs/HARDENING.md](docs/HARDENING.md).
 
 ## How veilor-os compares
 
-| Feature | veilor-os | Stock Fedora KDE | Kicksecure |
-|---|:-:|:-:|:-:|
-| SELinux enforcing OOTB | yes | yes | yes |
-| AppArmor | planned (v0.5) | no | yes |
-| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable |
-| LUKS2 with argon2id | default | optional | default |
-| Single-prompt install (LUKS only) | yes | no | no |
-| Root account locked by default | yes | no | yes |
-| firewalld default zone = drop | yes | no | n/a (uses nftables) |
-| USBGuard default-block | yes | no | yes |
-| fail2ban + auditd OOTB | yes | no | partial |
-| DNS-over-TLS by default | yes | no | yes |
-| NTS-authenticated NTP | yes | no | yes |
-| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes |
-| Telemetry / phone-home | none | minimal | none |
-| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) |
-| Power-profile CLI | yes (3-mode) | partial | no |
-| Reproducible kickstart-built ISO | yes | yes | yes (from Debian) |
-| Base distro | Fedora 43 | Fedora 43 | Debian |
+| Feature | veilor-os | Stock Fedora KDE | Kicksecure | secureblue |
+|---|:-:|:-:|:-:|:-:|
+| SELinux enforcing OOTB | yes | yes | yes | yes (custom policy) |
+| AppArmor | deferred (post-v0.6 / v0.7 LSM stack) | no | yes | no |
+| Secure Boot | yes (Fedora keys) | yes (Fedora keys) | configurable | yes (Fedora keys) |
+| LUKS2 with argon2id | default | optional | default | default (Anaconda) |
+| Single-prompt install (LUKS only) | yes | no | no | rebase via Anaconda |
+| Root account locked by default | yes | no | yes | yes |
+| firewalld default zone = drop | yes | no | n/a (nftables) | yes |
+| USBGuard default-block | yes | no | yes | yes |
+| fail2ban + auditd OOTB | yes | no | partial | partial (auditd) |
+| DNS-over-TLS by default | yes | no | yes | yes |
+| NTS-authenticated NTP | yes | no | yes | yes |
+| `init_on_alloc/free` (post-install) | yes (planned re-enable) | no | yes | yes |
+| Telemetry / phone-home | none | minimal | none | none |
+| KDE Plasma branded theme | yes (black) | Breeze | n/a (XFCE) | upstream Kinoite |
+| Power-profile CLI | yes (3-mode) | partial | no | no |
+| Hardened browser (Trivalent / Mullvad) | yes (v0.6+) | no | no | yes (Trivalent shipped) |
+| Atomic OCI image + signed base | v0.7 spike (BlueBuild) | no | no | yes (`bootc`) |
+| Userns-remap default + module sig enforce | yes | no | partial | yes |
+| Base distro | Fedora 43 (KDE) | Fedora 43 | Debian | Fedora atomic (Kinoite/Silverblue) |
 
 veilor-os is **not** trying to compete with Whonix-style anonymity or
 Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
 clean, locked down, with no manual post-install hardening required.
 
+### Credit & relationship to secureblue
+
+[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an
+upstream hardened atomic Fedora build that already solves a long list
+of problems we'd otherwise reinvent: Trivalent (hardened Chromium),
+custom SELinux policy, sysctl hardening, `module.sig_enforce=1`,
+USBGuard defaults, libpam-pwquality config, kernel cmdline hardening,
+and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7
+veilor-os spike layers on top of secureblue's
+`securecore-kinoite-hardened-userns` image rather than re-deriving the
+same hardening from scratch.
+
+Where veilor-os differs is the path, not the destination: a
+kickstart-installed flat install for v0.5.x (operator-friendly LUKS
+flow, single-prompt install), a hybrid kickstart-bootstrap +
+secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at
+v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and
+the Forgejo-hosted CI/release plumbing are veilor's own work.
+
+If a chunk of secureblue code, config, or policy ends up in veilor-os
+verbatim or near-verbatim, the file carries an upstream-attribution
+header and the LICENSE file in this repo records the AGPLv3 obligation
+on those files. Anything we ship under MIT is original to this repo.
+Thanks to the secureblue maintainers — without their public work the
+v0.7 path would be a year of duplicate effort.
+
 ---
 
 ## Repo layout