49a2e2557e
Logs the full output of the 9-agent deep-dive run on 2026-05-05 to
docs/research/2026-05-05-agent-wave/. Pulls every actionable finding
into one indexed location so v0.5.32 planning has a paper trail.
Files:
docs/research/2026-05-05-agent-wave/README.md — index
docs/research/2026-05-05-agent-wave/01-...real-hardware.md — Plymouth + LUKS edge cases
docs/research/2026-05-05-agent-wave/02-...firstboot-ux.md — SDDM + first-boot UX
docs/research/2026-05-05-agent-wave/03-...spike-plan.md — bootc-image-builder 1-week spike
docs/research/2026-05-05-agent-wave/04-...tier-2.md — AppArmor + nftables + audit + homed
docs/research/2026-05-05-agent-wave/05-...launch.md — threat model + v0.7 launch checklist
docs/research/2026-05-05-agent-wave/06-...log-capture.md — virtio-9p host-share for anaconda logs
docs/research/2026-05-05-agent-wave/07-...skel-branding.md — /etc/skel gap audit
docs/research/2026-05-05-agent-wave/08-...ci-hardening.md — SHA-pin actions + SBOM + SLSA L3
docs/research/2026-05-05-agent-wave/09-...failure-modes.md — real-hardware pessimistic audit
Plus the prior linter-applied:
docs/ROADMAP.md — Lessons learned section, v0.5.32 active block,
v0.6 promotion of veilor-postinstall + veilor-doctor,
v0.7 bootc spike scheduled
docs/THREAT-MODEL.md — drafted by Agent 5; in/out scope, comparison
matrix, v0.7 launch checklist
Top blockers identified for v0.5.32 (cross-cited in README):
1. Suspend/resume wifi death (kernel.modules_disabled=1)
2. veilor-firstboot.service WantedBy=graphical.target
3. kernel-upgrade grub drift
4. USBGuard hash-rules problem (already learned on onyx)
5. firewalld blocks tailscale0
6. /etc/skel/ empty
7. virtio-9p log capture replaces broken virtio-serial path
Wave + verifier pattern (per ROADMAP lessons learned #4) validated:
9 parallel agents on distinct topics produced converging blocker
list. The same pattern landed v0.5.31 four-bug fix from the prior
4-agent verification wave on v0.5.30 outcome.
2.2 KiB
Threat model + public launch prep
Agent 5 of 9-agent wave, 2026-05-05.
Deliverable
Threat model written to docs/THREAT-MODEL.md (1492 words). Slots
into docs/ROADMAP.md v0.7 line item "Threat model published —
honest scope".
Structure
-
In-scope adversaries (9 rows): lost laptop, browser RCE, USB attacks, SSH brute-force, forensics, supply chain, LPE, network surface, time MITM. Each maps to specific veilor mitigation (LUKS2 argon2id mem=1GB, SELinux +
veilor-systemdpolicy, USBGuard, fail2ban+firewalld, auditd, NTS chrony, etc.). -
Out-of-scope adversaries (9 rows): firmware implants, evil-maid on running system, hardware keylogger, session-level RCE (KDE not sandboxed), AES side-channels, TPM2 physical attacks, traffic correlation, TOFU MITM, sustained physical access. Each row points to right tool instead (Heads, Qubes, Tails).
-
Hardening tradeoffs (6 honest costs):
- SELinux app-compat
- Slow LUKS boot
- USBGuard friction
- Module lockdown breaking NVIDIA prop / VBox
- Drop-zone breaking KDE Connect / mDNS
- No PackageKit
-
Like Tails/Whonix/Qubes: published threat model, default-deny firewall, encrypted at rest.
-
Differs from them: daily-driver vs session-only; single-VM vs Qubes compartmentalisation; persistent identity vs Tails amnesia.
-
Comparison matrix: 10-axis × 6-distro grid (veilor-os / stock Fedora KDE / Kicksecure / Tails / Qubes / secureblue) covering encryption, MAC, firewall, USB, per-app isolation, anonymity, daily-driver fit, signed releases, threat-model publication, hardware compat.
-
v0.7 launch checklist (9 items):
- Threat model finalised
- GPG signing (v0.4 dep)
- mkdocs-material on veilor.org
- Comparison + benchmarks
- Press kit
- "What veilor-os is not" preempt page (covers "why not Qubes/Tails/Fedora?")
- r/linux + r/Fedora + HN posts
- GitHub Release with ISO+sha256+.asc
- Repo flip-public + DNS + Mastodon/Matrix/SimpleX announce
Tone
Matches repo voice — short paragraphs, no fluff, "honest scope" framing reused from roadmap. No emojis (per CLAUDE.md style).
See also
docs/THREAT-MODEL.md(full document)docs/ROADMAP.mdv0.7 section