veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions

docs(README): tone down secureblue credit (no code lifted yet)

Browse source 
We layer on their OCI image as v0.7 base; we don't redistribute their
source. Drop the AGPLv3-attribution prose — that becomes relevant only
if/when we ship a verbatim chunk of their config/policy in our repo.
This commit is contained in:
obsidian-ai 2026-05-06 15:38:35 +01:00 committed by s8n
parent 97939d76f8
commit e17c04007d
1 changed files with 14 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -142,31 +142,22 @@ veilor-os is **not** trying to compete with Whonix-style anonymity or
Qubes-style isolation. It is a **hardened daily-driver desktop** — fast, Qubes-style isolation. It is a **hardened daily-driver desktop** — fast,
clean, locked down, with no manual post-install hardening required. clean, locked down, with no manual post-install hardening required.
### Credit & relationship to secureblue ### Relationship to secureblue
[secureblue](https://github.com/secureblue/secureblue) (AGPLv3) is an [secureblue](https://github.com/secureblue/secureblue) is an upstream
upstream hardened atomic Fedora build that already solves a long list hardened atomic Fedora project we benchmark against and plan to **build
of problems we'd otherwise reinvent: Trivalent (hardened Chromium), on top of** at v0.7. The v0.7 BlueBuild spike uses their
custom SELinux policy, sysctl hardening, `module.sig_enforce=1`, `securecore-kinoite-hardened-userns` OCI image as its base — we don't
USBGuard defaults, libpam-pwquality config, kernel cmdline hardening, ship their source code in this repo, we layer veilor branding,
and a full BlueBuild OCI pipeline with cosign-signed releases. The v0.7 theming, the gum installer, and the kickstart bootstrap on top of
veilor-os spike layers on top of secureblue's their already-signed image.
`securecore-kinoite-hardened-userns` image rather than re-deriving the
same hardening from scratch.
Where veilor-os differs is the path, not the destination: a Where veilor-os differs is the install path: a kickstart-installed
kickstart-installed flat install for v0.5.x (operator-friendly LUKS flat install for v0.5.x (single-prompt LUKS flow, gum TUI, Anaconda
flow, single-prompt install), a hybrid kickstart-bootstrap + underneath), a hybrid kickstart-bootstrap + secureblue-OCI image at
secureblue-OCI image at v0.7, and a fully OCI/`bootc upgrade` path at v0.7, and a fully OCI / `bootc upgrade` path at v1.0. Thanks to the
v1.0. Branding, theming, the gum installer, the 3-mode power CLI, and secureblue maintainers for the upstream work — we're a friendlier
the Forgejo-hosted CI/release plumbing are veilor's own work. install front-end on top of it, not a fork.
If a chunk of secureblue code, config, or policy ends up in veilor-os
verbatim or near-verbatim, the file carries an upstream-attribution
header and the LICENSE file in this repo records the AGPLv3 obligation
on those files. Anything we ship under MIT is original to this repo.
Thanks to the secureblue maintainers — without their public work the
v0.7 path would be a year of duplicate effort.
--- ---