veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
veilor-os/docs/ROADMAP.md
veilor-org e848c7ffc3 v0.5.28 (partial): lock locale to en_US, roadmap post-install menu 
Install-flow change + roadmap update. The roadmap entry is the
durable record; the code change is the immediate effect.

## Locale picker removed

The "[4/4] Locale" prompt is gone. Locale is hardcoded to en_US.UTF-8
for the install. Two reasons:

1. The picker only offered en_GB and en_US, both of which install
   identically apart from the langtag string and a couple of date /
   currency conventions that nobody who's mid-install is thinking
   about. It's a fake choice that adds a screen.
2. `localectl set-locale` post-install handles every locale on earth
   in one command. The v0.7 `veilor-postinstall` first-login menu (see
   roadmap below) will offer a locale + keyboard layout switch with
   live preview, which is the right place for that decision.

Step counters updated [1/4]→[1/3], [2/4]→[2/3], [3/4]→[3/3]. The Locale
row stays in the confirm-summary box because users still want to see
what they're getting installed.

## Roadmap

- New section v0.5.27–v0.5.28 — documents the install-path
  stabilisation work explicitly so the bridge between "first green
  ISO" and "looks polished" is not invisible. Calls out the LUKS BLS
  fix that landed in v0.5.27 + the gum-input replacement scheduled
  for v0.5.28.
- v0.6 — `veilor-doctor` description expanded: this is the
  post-install audit tool. Every user runs it weekly to see drift
  from baseline.
- v0.6 — new entry `veilor-postinstall`: EndeavourOS-style first-login
  welcome menu, single TUI screen, asks once. Covers the "I just
  installed, what do I configure" gap in one explicit step instead of
  scattered docs.
2026-05-05 02:48:36 +01:00

208 lines
9.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Roadmap
Versioned roadmap for veilor-os. Targets are intentionally short and
testable. No fluff. Items in earlier versions are blockers for later
ones unless explicitly noted.
For the historical record of what landed in each release, see
[`../CHANGELOG.md`](../CHANGELOG.md).
---
## v0.2 — green ISO + base hardening (DONE)
Reproducible CI build pipeline. UEFI+BIOS bootable live ISO from a single
kickstart. Single-prompt LUKS install. First-boot admin password flow.
Full overlay applied (sysctl, sshd, sudoers, tuned profiles, KDE black
theme, Fira Code, branded `/etc/os-release`). SELinux enforcing.
firewalld drop zone. fail2ban + auditd + USBGuard active. The build
chased five real bugs (DEST hardcoded, `set -eu` killing `cp`,
os-release symlink, missing admin user, `LABEL=` vs `CDLABEL=` in
livecd-tools) before greening.
Released `v0.2.5` on 2026-05-01. CI on every push to `main`.
---
## v0.5.27v0.5.28 — install path stabilisation (active)
The bridge between v0.2 (greens at all) and v0.3 (looks polished). All
of these are install-path bugs surfaced by the formal hybrid-VM test
procedure (`test/TESTING.md`).
- **v0.5.27 (DONE)** — `rd.luks.uuid` injected via `grubby
--update-kernel=ALL` so Fedora 43 BLS entries actually carry the
arg; without it first boot drops to dracut emergency shell. GRUB
rebrand (single "veilor-os" entry, rescue suppressed). `fbcon=nodefer`
in live cmdline so real laptops don't black-screen on KMS handoff.
ASCII gum cursor (cosmetic only — duplicate-render bug runs deeper,
carried to v0.5.28).
- **v0.5.28 (next)** — locale picker removed; en_US.UTF-8 hardcoded
for install (post-install menu in v0.7 handles locale switch). gum
input render glitches on linux fbcon (duplicate "Install", stray T
in password fields) get a real fix — likely replace `gum input
--password` with bash `read -srp`, since masked input does not need
TUI polish and every other distro installer does it this way.
Anaconda transaction containment so the user sees a branded
"INSTALLING" panel instead of `Configuring xxx.x86_64` scroll.
---
## v0.3 — UX polish (in progress)
The visible polish layer that v0.2 deferred for build velocity.
- **Plymouth black theme** — boot splash matching the desktop. No Fedora
drum, no white flash. `assets/plymouth/veilor/`.
- **SDDM theme** — black login background, single-user prompt with
`admin` pre-filled, no userlist.
- **Konsole profile** — black background, Fira Code, transparent panel
off (no compositor cost on resume).
- **Wallpaper SVG** — flat black with subtle veilor wordmark, 1080p +
4K + ultrawide variants.
- **Re-enable memory hygiene on installed system.** v0.2.5 stripped
`init_on_alloc=1 init_on_free=1` from the *live* cmdline because they
5x'd KVM boot time. Re-add post-install via `veilor-firstboot` so the
installed system gets the protection without the ISO penalty.
- **USBGuard auto-snapshot on first boot.** Currently the operator
runs `usbguard generate-policy` manually. v0.3 wires this into
`veilor-firstboot` after the password step (with a clear
"plug in trusted devices first" prompt).
Target: this month. None of it is a kickstart change — pure overlay
work.
---
## v0.4 — distribution + signing
Get veilor-os to a state where the ISO is downloadable, verifiable, and
trusted by Secure Boot without user shenanigans.
- **GPG-signed releases.** Tag → CI builds → CI signs ISO + sha256 with
veilor.org release key → GitHub Release artifact carries `.iso.asc`.
- **Reproducible builds.** Pin Fedora compose ID, lock package versions
via `dnf snapshot` or equivalent, document how to verify two builds
match.
- **Own MOK (Machine Owner Key) + sbsign for Secure Boot.** Currently
veilor-os relies on Fedora's signed shim chain. v0.4 ships our own
MOK, signs the kernel + initramfs at build time, optionally enrols
the MOK on first boot for users who want a cleaner trust path.
- **ISO download mirror** — static download page on veilor.org with
current + previous release, sha256, gpg signature. **Not** an RPM
mirror — veilor-os does not ship its own packages, only the spin
configuration.
- **Release process documented** — tagging, CI, signing, mirror sync
in `docs/RELEASE.md`.
---
## v0.5 — hardening tier 2
Hardening that builds on v0.2's foundation. Each item is opt-in unless
specified — defaults stay sane for a daily driver.
- **AppArmor profiles in addition to SELinux.** Stack-not-replace.
Targeted at the browser, the mail client, and anything that touches
attacker-controlled data. SELinux remains the primary MAC.
- **systemd-homed** — encrypted-per-user `~`, suspend-aware, key
unlocked at PAM login. Optional, opt-in via post-install helper.
- **nftables ruleset** alongside firewalld defaults. Default firewalld
policy stays drop; nftables provides advanced filtering for users
who want it.
- **Audit log shipping** — opt-in `auditd` -> remote syslog over TLS,
for users running a central log aggregator.
- **Installer kickstart split** — separate `veilor-os-install.ks` for
installer ISO (real LUKS partitioning, not the live-rootfs
simplification used in v0.2). Lets users install veilor-os as the
primary OS without going through the live boot first.
- **Audit baseline** — re-run the security audit (template in
`security/audit-template.md`) and target a lower risk score than v0.2.
---
## v0.6 — ergonomics
Smooth the operator experience so day-to-day work doesn't fight the
hardening.
- **`veilor-update`** — wraps `dnf upgrade` with a pre-check (snapshot
available?), an auditd pause, and post-update sysctl/SELinux
validation. One command, no surprises.
- **`veilor-doctor`** — diagnostic helper. Walks the audit checklist
(`getenforce`, `mokutil --sb-state`, `firewall-cmd --get-default-zone`,
fail2ban status, USBGuard policy, sysctl drift) and reports what's
drifted from baseline. This is the **post-install audit** path:
every veilor-os user can run `veilor-doctor` weekly and see exactly
where their system has drifted from the hardened defaults.
- **`veilor-postinstall`** — first-login welcome menu, EndeavourOS-style
but cleaner. Single TUI screen with: keyboard layout, locale, hostname
override, optional package presets (dev / media / homelab), driver
choices (NVIDIA / Intel / AMD), Bluetooth opt-in, audit baseline run.
Each step is skippable, runs once on first SDDM login, never auto-runs
again. Lives in `overlay/usr/local/bin/veilor-postinstall` + a
`~/.config/autostart/veilor-postinstall.desktop` that self-deletes
after first run. Replaces the current "user has to know what to
configure" model with "we ask, once, with sane defaults pre-selected".
- **Opt-in installer ISO** — flip from live-only to live + installer,
user picks at boot menu. Installer uses the v0.5 kickstart with full
LUKS + btrfs subvols + zram.
- **First-boot UX** — replace TTY password prompt with a small
Plymouth-rendered dialog. Less raw.
- **Bluetooth opt-in helper** — single command to enable + bring up
the daemon + add the user to the right group. Currently three
commands.
---
## v0.7 — public flex
Take veilor-os out of "private repo, contained audience" mode.
- **Public docs site** — Hugo or mdBook on `veilor.org`, generated from
`docs/`. Single source of truth for INSTALL, HARDENING, BUILD,
ROADMAP, RELEASE, CONTRIBUTING.
- **Repo public** — flip GitHub visibility, announce.
- **Comparison + benchmarks** — published numbers vs stock Fedora KDE
on cold boot, idle RAM, idle network egress, suspend/resume time.
- **Threat model published** — what veilor-os defends against, what it
does not. Honest scope.
- **Press kit** — wallpapers, logo, screenshots, feature one-liner.
---
## v1.0 — production
The line where veilor-os is recommended for a non-author user as a
daily driver.
- **Multi-arch.** x86_64 today; v1.0 ships aarch64 ISO too (laptops
on ARM are real now). Build matrix in CI.
- **LTS commitment** — major versions tied to Fedora's release cadence,
patch releases for security only, documented EOL per major.
- **Recovery ISO** — minimal rescue image with veilor tools (LUKS
unlock, btrfs scrub, sysctl reset, fail2ban unban) for "I cannot log
in to my system" days.
- **TPM2 integration** — sealed LUKS unlock against TPM2 PCRs (opt-in,
default stays password). Ships as helper script, not silent default.
- **Signed update channel** — beyond GPG-signed ISOs, a signed metadata
repo so `veilor-doctor` can detect available updates without trusting
Fedora's mirrorlists alone.
---
## Stretch goals — not on the v0.x → v1.0 critical path
These are spin variants that share veilor-os DNA but need their own
kickstart or build tool. They live on a separate track and do not
block v1.0.
- **`veilor-server`** — no KDE, no GUI, hardened headless Fedora for
homelab / VPS. Same overlay, different package set.
- **`veilor-kiosk`** — single-app Plasma session, locked-down user,
read-only root. For dedicated-purpose machines.
- **`veilor-atomic`** — rpm-ostree / bootc-image-builder rebase.
Immutable root, transactional updates, atomic rollback. Different
build tool entirely (likely `bootc-image-builder`); all veilor
hardening would translate to a `Containerfile`. Schedule for after
v0.5+ once the standard spin is stable.
Reference in a new issue View git blame Copy permalink