veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/ROADMAP.md
s8n a7e7d6e10c docs: CHANGELOG v0.2.0-v0.2.5, README rewrite, ROADMAP, release notes update (#5) 
Co-authored-by: veilor-org <admin@veilor.org>
2026-05-02 03:42:39 +01:00

7.3 KiB
Raw Blame History

Roadmap

Versioned roadmap for veilor-os. Targets are intentionally short and testable. No fluff. Items in earlier versions are blockers for later ones unless explicitly noted.

For the historical record of what landed in each release, see ../CHANGELOG.md.

v0.2 — green ISO + base hardening (DONE)

Reproducible CI build pipeline. UEFI+BIOS bootable live ISO from a single kickstart. Single-prompt LUKS install. First-boot admin password flow. Full overlay applied (sysctl, sshd, sudoers, tuned profiles, KDE black theme, Fira Code, branded /etc/os-release). SELinux enforcing. firewalld drop zone. fail2ban + auditd + USBGuard active. The build chased five real bugs (DEST hardcoded, set -eu killing cp, os-release symlink, missing admin user, LABEL= vs CDLABEL= in livecd-tools) before greening.

Released v0.2.5 on 2026-05-01. CI on every push to main.

v0.3 — UX polish (in progress)

The visible polish layer that v0.2 deferred for build velocity.

  • Plymouth black theme — boot splash matching the desktop. No Fedora drum, no white flash. assets/plymouth/veilor/.
  • SDDM theme — black login background, single-user prompt with admin pre-filled, no userlist.
  • Konsole profile — black background, Fira Code, transparent panel off (no compositor cost on resume).
  • Wallpaper SVG — flat black with subtle veilor wordmark, 1080p + 4K + ultrawide variants.
  • Re-enable memory hygiene on installed system. v0.2.5 stripped init_on_alloc=1 init_on_free=1 from the live cmdline because they 5x'd KVM boot time. Re-add post-install via veilor-firstboot so the installed system gets the protection without the ISO penalty.
  • USBGuard auto-snapshot on first boot. Currently the operator runs usbguard generate-policy manually. v0.3 wires this into veilor-firstboot after the password step (with a clear "plug in trusted devices first" prompt).

Target: this month. None of it is a kickstart change — pure overlay work.

v0.4 — distribution + signing

Get veilor-os to a state where the ISO is downloadable, verifiable, and trusted by Secure Boot without user shenanigans.

  • GPG-signed releases. Tag → CI builds → CI signs ISO + sha256 with veilor.org release key → GitHub Release artifact carries .iso.asc.
  • Reproducible builds. Pin Fedora compose ID, lock package versions via dnf snapshot or equivalent, document how to verify two builds match.
  • Own MOK (Machine Owner Key) + sbsign for Secure Boot. Currently veilor-os relies on Fedora's signed shim chain. v0.4 ships our own MOK, signs the kernel + initramfs at build time, optionally enrols the MOK on first boot for users who want a cleaner trust path.
  • ISO download mirror — static download page on veilor.org with current + previous release, sha256, gpg signature. Not an RPM mirror — veilor-os does not ship its own packages, only the spin configuration.
  • Release process documented — tagging, CI, signing, mirror sync in docs/RELEASE.md.

v0.5 — hardening tier 2

Hardening that builds on v0.2's foundation. Each item is opt-in unless specified — defaults stay sane for a daily driver.

  • AppArmor profiles in addition to SELinux. Stack-not-replace. Targeted at the browser, the mail client, and anything that touches attacker-controlled data. SELinux remains the primary MAC.
  • systemd-homed — encrypted-per-user ~, suspend-aware, key unlocked at PAM login. Optional, opt-in via post-install helper.
  • nftables ruleset alongside firewalld defaults. Default firewalld policy stays drop; nftables provides advanced filtering for users who want it.
  • Audit log shipping — opt-in auditd -> remote syslog over TLS, for users running a central log aggregator.
  • Installer kickstart split — separate veilor-os-install.ks for installer ISO (real LUKS partitioning, not the live-rootfs simplification used in v0.2). Lets users install veilor-os as the primary OS without going through the live boot first.
  • Audit baseline — re-run the security audit (template in security/audit-template.md) and target a lower risk score than v0.2.

v0.6 — ergonomics

Smooth the operator experience so day-to-day work doesn't fight the hardening.

  • veilor-update — wraps dnf upgrade with a pre-check (snapshot available?), an auditd pause, and post-update sysctl/SELinux validation. One command, no surprises.
  • veilor-doctor — diagnostic helper. Walks the audit checklist (getenforce, mokutil --sb-state, firewall-cmd --get-default-zone, fail2ban status, USBGuard policy, sysctl drift) and reports what's drifted from baseline.
  • Opt-in installer ISO — flip from live-only to live + installer, user picks at boot menu. Installer uses the v0.5 kickstart with full LUKS + btrfs subvols + zram.
  • First-boot UX — replace TTY password prompt with a small Plymouth-rendered dialog. Less raw.
  • Bluetooth opt-in helper — single command to enable + bring up the daemon + add the user to the right group. Currently three commands.

v0.7 — public flex

Take veilor-os out of "private repo, contained audience" mode.

  • Public docs site — Hugo or mdBook on veilor.org, generated from docs/. Single source of truth for INSTALL, HARDENING, BUILD, ROADMAP, RELEASE, CONTRIBUTING.
  • Repo public — flip GitHub visibility, announce.
  • Comparison + benchmarks — published numbers vs stock Fedora KDE on cold boot, idle RAM, idle network egress, suspend/resume time.
  • Threat model published — what veilor-os defends against, what it does not. Honest scope.
  • Press kit — wallpapers, logo, screenshots, feature one-liner.

v1.0 — production

The line where veilor-os is recommended for a non-author user as a daily driver.

  • Multi-arch. x86_64 today; v1.0 ships aarch64 ISO too (laptops on ARM are real now). Build matrix in CI.
  • LTS commitment — major versions tied to Fedora's release cadence, patch releases for security only, documented EOL per major.
  • Recovery ISO — minimal rescue image with veilor tools (LUKS unlock, btrfs scrub, sysctl reset, fail2ban unban) for "I cannot log in to my system" days.
  • TPM2 integration — sealed LUKS unlock against TPM2 PCRs (opt-in, default stays password). Ships as helper script, not silent default.
  • Signed update channel — beyond GPG-signed ISOs, a signed metadata repo so veilor-doctor can detect available updates without trusting Fedora's mirrorlists alone.

Stretch goals — not on the v0.x → v1.0 critical path

These are spin variants that share veilor-os DNA but need their own kickstart or build tool. They live on a separate track and do not block v1.0.

  • veilor-server — no KDE, no GUI, hardened headless Fedora for homelab / VPS. Same overlay, different package set.
  • veilor-kiosk — single-app Plasma session, locked-down user, read-only root. For dedicated-purpose machines.
  • veilor-atomic — rpm-ostree / bootc-image-builder rebase. Immutable root, transactional updates, atomic rollback. Different build tool entirely (likely bootc-image-builder); all veilor hardening would translate to a Containerfile. Schedule for after v0.5+ once the standard spin is stable.