veilor-org/veilor-os

Fork 0

Commit graph

Author	SHA1	Message	Date
veilor-org	8c409d323b	docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue Locks in the strategic decision from 2026-05-05 secureblue research agent: pivot the technical base toward bootc/OCI, but as a layer over secureblue's `securecore-kinoite-hardened-userns` rather than a Containerfile-from-scratch. ## What changed - New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap → first-boot bootc rebase → bootc-only at v1.0). Documents secureblue rationale, our overrides (drop Trivalent, restore sudo + Xwayland), next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions workflow + `veilor-firstboot-rebase` one-shot). - Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes the Agent 3 Containerfile-from-scratch plan with the BlueBuild layering plan. Spike compresses 1 week → 2 days; hardening review inherited from 30 secureblue contributors. ## Why hybrid, not pure pivot - Anaconda's LUKS UX (single passphrase prompt + custom partitioning) is mature; bootc-image-builder's installer is not yet on par. Keep the kickstart as the bootstrap. - bootc upgrade gets us atomic A/B + signed image chain + instant rollback that we can't realistically build alone with our contributor count. - The kickstart work is not lost — it becomes the day-zero installer through v0.7. v1.0 deprecates it entirely once bootc-image-builder installer ISO matures. ## Why secureblue, not Athena (Arch) \| Axis \| secureblue \| Athena OS \| \|---\|---\|---\| \| Maintainers \| 30 \| 8 \| \| MAC enforcing OOB \| SELinux + custom policy \| AppArmor active, profiles mostly unconfined \| \| Atomic / immutable updates \| Yes (bootc/rpm-ostree) \| No (rolling) \| \| Threat model published \| No \| Yes \| \| MS-signed Secure Boot shim \| Yes (Fedora shim) \| Yes (with auto-MOK) \| Athena's only structural advantage is the published threat model. We're already drafting one (Agent 5 of 2026-05-05 wave) — we get that win regardless. secureblue's contributor count + atomic update infrastructure is the leverage. ## Strategic credibility win Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions veilor-os ahead of secureblue (no threat model) and Athena (has threat model but smaller contributor base) on the one axis that matters most. ## Open questions documented in STRATEGY.md - secureblue contribution acceptance for upstream patches (USBGuard id-based-rules fix, threat model framework) - Brave vs Mullvad-Browser pick for default browser - bootc rebase first-boot fallback if rebase fails - Fedora 44 transition timing follows secureblue's release tags	2026-05-05 15:05:59 +01:00

Author

SHA1

Message

Date

veilor-org

8c409d323b

docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue

Locks in the strategic decision from 2026-05-05 secureblue research
agent: pivot the technical base toward bootc/OCI, but as a layer over
secureblue's `securecore-kinoite-hardened-userns` rather than a
Containerfile-from-scratch.

## What changed

- New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap →
  first-boot bootc rebase → bootc-only at v1.0). Documents secureblue
  rationale, our overrides (drop Trivalent, restore sudo + Xwayland),
  next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions
  workflow + `veilor-firstboot-rebase` one-shot).

- Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes
  the Agent 3 Containerfile-from-scratch plan with the BlueBuild
  layering plan. Spike compresses 1 week → 2 days; hardening review
  inherited from 30 secureblue contributors.

## Why hybrid, not pure pivot

- Anaconda's LUKS UX (single passphrase prompt + custom
  partitioning) is mature; bootc-image-builder's installer is not yet
  on par. Keep the kickstart as the bootstrap.
- bootc upgrade gets us atomic A/B + signed image chain + instant
  rollback that we can't realistically build alone with our
  contributor count.
- The kickstart work is not lost — it becomes the day-zero installer
  through v0.7. v1.0 deprecates it entirely once bootc-image-builder
  installer ISO matures.

## Why secureblue, not Athena (Arch)

| Axis | secureblue | Athena OS |
|---|---|---|
| Maintainers | 30 | 8 |
| MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined |
| Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) |
| Threat model published | No | Yes |
| MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) |

Athena's only structural advantage is the published threat model.
We're already drafting one (Agent 5 of 2026-05-05 wave) — we get
that win regardless. secureblue's contributor count + atomic update
infrastructure is the leverage.

## Strategic credibility win

Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions
veilor-os ahead of secureblue (no threat model) and Athena (has
threat model but smaller contributor base) on the one axis that
matters most.

## Open questions documented in STRATEGY.md

- secureblue contribution acceptance for upstream patches (USBGuard
  id-based-rules fix, threat model framework)
- Brave vs Mullvad-Browser pick for default browser
- bootc rebase first-boot fallback if rebase fails
- Fedora 44 transition timing follows secureblue's release tags

2026-05-05 15:05:59 +01:00

1 commit