veilor-org 50a241a603 docs: STRATEGY.md — hybrid kickstart bootstrap + bootc OCI on secureblue

Locks in the strategic decision from 2026-05-05 secureblue research
agent: pivot the technical base toward bootc/OCI, but as a layer over
secureblue's `securecore-kinoite-hardened-userns` rather than a
Containerfile-from-scratch.

## What changed

- New: `docs/STRATEGY.md` — full hybrid plan (kickstart bootstrap →
  first-boot bootc rebase → bootc-only at v1.0). Documents secureblue
  rationale, our overrides (drop Trivalent, restore sudo + Xwayland),
  next concrete steps for v0.7 spike (BlueBuild recipe + GH Actions
  workflow + `veilor-firstboot-rebase` one-shot).

- Updated: `docs/ROADMAP.md` v0.7 bootc-spike subsection — supersedes
  the Agent 3 Containerfile-from-scratch plan with the BlueBuild
  layering plan. Spike compresses 1 week → 2 days; hardening review
  inherited from 30 secureblue contributors.

## Why hybrid, not pure pivot

- Anaconda's LUKS UX (single passphrase prompt + custom
  partitioning) is mature; bootc-image-builder's installer is not yet
  on par. Keep the kickstart as the bootstrap.
- bootc upgrade gets us atomic A/B + signed image chain + instant
  rollback that we can't realistically build alone with our
  contributor count.
- The kickstart work is not lost — it becomes the day-zero installer
  through v0.7. v1.0 deprecates it entirely once bootc-image-builder
  installer ISO matures.

## Why secureblue, not Athena (Arch)

| Axis | secureblue | Athena OS |
|---|---|---|
| Maintainers | 30 | 8 |
| MAC enforcing OOB | SELinux + custom policy | AppArmor active, profiles mostly unconfined |
| Atomic / immutable updates | Yes (bootc/rpm-ostree) | No (rolling) |
| Threat model published | No | Yes |
| MS-signed Secure Boot shim | Yes (Fedora shim) | Yes (with auto-MOK) |

Athena's only structural advantage is the published threat model.
We're already drafting one (Agent 5 of 2026-05-05 wave) — we get
that win regardless. secureblue's contributor count + atomic update
infrastructure is the leverage.

## Strategic credibility win

Publishing `docs/THREAT-MODEL.md` BEFORE the v0.7 launch positions
veilor-os ahead of secureblue (no threat model) and Athena (has
threat model but smaller contributor base) on the one axis that
matters most.

## Open questions documented in STRATEGY.md

- secureblue contribution acceptance for upstream patches (USBGuard
  id-based-rules fix, threat model framework)
- Brave vs Mullvad-Browser pick for default browser
- bootc rebase first-boot fallback if rebase fails
- Fedora 44 transition timing follows secureblue's release tags

2026-05-05 15:05:59 +01:00

5.9 KiB

Raw Blame History

veilor-os Strategy — Hybrid kickstart bootstrap + bootc OCI

Decision date: 2026-05-05 Locked at: v0.5.31 → v0.7 spike → v1.0

TL;DR

Keep the Anaconda-driven kickstart ISO as the bootstrap installer (LUKS UX is mature, single passphrase prompt, custom partitioning works).
On first boot, the installed system is automatically rebased to a veilor-os OCI image built via BlueBuild on top of secureblue's securecore-kinoite-hardened-userns.
All future updates flow through bootc upgrade — atomic A/B, instant rollback, cosign-signed.
The kickstart-driven mutable-root path is deprecated at v1.0; kept alive as fallback through v0.7.

Why hybrid, not pure pivot

Pure pivot to bootc-from-scratch (Agent 3's spike plan) was 1 week to first ISO. Pure pivot to layering on secureblue is 2 days to first ISO because the hardening work is already done. But both require throwing away the partitioning UX we already have working in Anaconda.

Hybrid:

Day-zero install: Anaconda kickstart + custom partitioning + LUKS prompt (what we have today). User experience = unchanged.
First boot, post-LUKS-unlock: bootc rebase ghcr.io/veilor/veilor-os:43 runs once; pulls the OCI image; next reboot lands in the veilor OCI tree.
Day-2: bootc upgrade cadence for everything from then on.

We keep what works, pivot the part that doesn't.

Why secureblue underneath

Question	Answer
Maintainers	secureblue: 30 contributors, 56 commits/5wks. veilor-os: solo.
Hardening surface	secureblue ships sysctl + kargs + SELinux + USBGuard + hardened-malloc + DoT — far more than we'd build alone.
Build pipeline	BlueBuild → cosign-signed OCI in GH Actions (`build-all.yml`, `trivy.yml`).
Update model	bootc upgrade with A/B + instant rollback + signed image chain.
Variants	`kinoite-hardened-userns` is the KDE+Wayland+SELinux variant we'd want.
License	Apache-2.0 (compatible with our MIT).

What we override in our recipe:

Browser: Trivalent (their fork) → Brave / Mullvad-Browser. Single-maintainer browser fork is unacceptable risk for daily-driver audience.
run0 instead of sudo: revert. Breaks too many workflows.
Xwayland disabled: revert. Some apps still need it.
veilor branding: theme, KDE color scheme, Plymouth, SDDM, font, os-release. All overlay/* ports verbatim from current repo.

Strategic credibility win

secureblue does NOT publish a threat model. Athena OS does, and it's their main differentiator. We've already drafted docs/THREAT-MODEL.md (Agent 5 of 2026-05-05 wave). Publishing that before the v0.7 launch positions veilor-os ahead of secureblue and Athena on the one axis that matters most for a security-branded distro: honest, scoped, public threat model.

Roadmap implications

Version	Status	Path
v0.5.31	shipped	Anaconda kickstart, mutable root
v0.5.32	active — top blockers from 9-agent wave	Anaconda kickstart
v0.5.x → v0.6	maintenance	Anaconda kickstart, ergonomics + UX polish
v0.7 spike	2-day BlueBuild prototype	First veilor OCI image extending secureblue-kinoite-hardened
v0.7 ship	ISO bootstraps install, first boot rebases to OCI	Hybrid path live
v1.0	bootc-only, kickstart deprecated	`bootc upgrade` for all updates

The bootc-image-builder spike plan (Agent 3) is superseded by this hybrid: don't build a Containerfile from scratch on fedora-bootc:43. Instead, write a BlueBuild recipe on securecore-kinoite-hardened-userns. Spike compresses 1 week → 2 days.

Next concrete steps

v0.5.32 — current (no strategy change)

Ship the 7 blockers from docs/research/2026-05-05-agent-wave/: suspend/resume wifi fix, firstboot WantedBy, USBGuard id-rules, firewalld tailscale0 zone, KMS modeset, /etc/skel branding, virtio-9p log capture.

v0.7-spike (2 days)

New repo dir: bluebuild/recipe.yml.
from: ghcr.io/secureblue/securecore-kinoite-hardened-userns:latest.
Override modules:
- type: files — stamp our overlay/* tree (branding, themes, veilor scripts, sddm theme, plymouth theme).
- type: rpm-ostree — install Brave + restore Xwayland.
- type: rpm-ostree — remove Trivalent.
- type: brand — PRETTY_NAME, GRUB_DISTRIBUTOR, distributor URL.
.github/workflows/build-bluebuild.yml — pull BlueBuild action, build + cosign sign + push to GHCR.
kickstart/install.ks — add a one-shot veilor-firstboot-rebase service that runs rpm-ostree rebase ghcr.io/veilor/veilor-os:43 then disables itself. User reboots once and is on the OCI image.

v1.0 — bootc-only

Drop kickstart/veilor-os.ks, drop livecd-creator workflow.
Keep installer-iso.toml for the bootstrap ISO (built via bootc-image-builder); the OCI image is the source of truth.
veilor-update becomes thin bootc upgrade --apply wrapper.

Open questions

Does secureblue accept upstream contributions? If yes, send our USBGuard id-based-rules fix and our threat model framework.
Brave vs Mullvad-Browser: Brave has telemetry concerns out of box; Mullvad-Browser is Tor-Browser-derived but not designed for daily-driver. Test both in spike.
Recovery flow when bootc rebase fails on first boot — need fallback to keep the kickstart-installed system bootable. Likely already handled by bootc's A/B; verify in spike.
Fedora 44 transition: secureblue tracks Fedora releases (current v4.9 on F44). If we follow, we get F44 for free at the same time upstream does.

5.9 KiB Raw Blame History