SilverLABS/SilverMetal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(naming): adopt OS / Enhanced product-line framing + align with existing repos

Browse Source 
Two product lines, named to make scope obvious to buyers:
- 🔒 SilverMetal OS — we ship the operating system or ROM
  (Linux, Pixel, Samsung-unlocked, Motorola-unlocked)
- 🛡️ SilverMetal Enhanced — we harden the OS the device already runs
  (Windows, macOS, iOS, generic Android)

Repo alignment:
- SilverVPN already exists as a SilverLABS product (server + MAUI client +
  Linux client + tunnel service). stack/vpn/ is now an integration pointer
  rather than a re-scaffold; per-platform READMEs reference it.
- SilverApple is deprecated; SilverMetal Enhanced — iOS supersedes it.
  Migration step added as roadmap milestone 3I.1.
- SilverDROID name clash explicitly noted as unrelated (it's the SilverSHELL
  AppStore Android client, not an Android ROM).
- SilverChat may overlap with SilverVPN.Client.Chat; alignment decision
  added as roadmap milestone 1.1.1.

Roadmap restructured: phases now track the OS/Enhanced split.
Platform matrix re-sectioned and decision flowchart updated.
README rewritten around the two-product-line framing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
SysAdmin
2026-04-25 03:30:45 +01:00
parent 7d5f9cc246
commit 0a0075ce66
10 changed files with 316 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
docs/roadmap.md
View File

@@ -2,6 +2,8 @@
Milestone-driven, no calendar dates (those slip; milestone gates don't). Each milestone has a definition of done. We don't move on until the previous milestone is met.
The two product lines (**SilverMetal OS** and **SilverMetal Enhanced**) share the same roadmap because they share the SilverLABS Application Stack and the same supporting infrastructure. They diverge in delivery format only.
## Phase 0 — Foundation (current)
**Goal**: get the architecture, threat model, and product principles documented and reviewed before writing OS code.
@@ -11,14 +13,15 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
| 0.1 | Repo scaffold | Directory tree + per-platform stubs + per-stack stubs in place |
| 0.2 | Umbrella docs | `README.md` + `docs/{threat-model,design-principles,platform-matrix,roadmap,trust-model}.md` complete and reviewed |
| 0.3 | Gitea repo created and pushed | `SilverLABS/SilverMetal` exists on `git.silverlabs.uk` with this scaffold |
| 0.4 | Naming framework + repo alignment locked | OS / Enhanced naming applied; SilverApple deprecation noted; SilverVPN integration scope defined |
**Status**: in progress (this commit completes 0.10.3).
**Status**: complete.
---
## Phase 1 — SilverMetal Linux v1 (the MVP)
## Phase 1 — SilverMetal OS — Linux v1 (the MVP)
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other platforms.
**Goal**: ship a public alpha ISO that passes our own hardening verification. This is the reference implementation; the patterns established here flow to other flavours.
| # | Milestone | Done when |
|---|---|---|
@@ -28,7 +31,7 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
| 1.4 | Telemetry-leak test green | tcpdump on fresh-install idle for 30 min — zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics endpoints |
| 1.5 | LUKS2 + TPM2 PCR-bound install via Calamares | End-to-end: install → reboot → TPM unlock → desktop. Tamper test correctly falls back to passphrase |
| 1.6 | SilverBrowser v1 integrated (ungoogled-chromium rebrand) | Default browser, no Google services, fingerprint defences validated |
| 1.7 | SilverVPN v1 integrated (WireGuard backbone) | Always-on default; kill-switch verified; account-number signup flow works |
| 1.7 | SilverVPN integrated into image | Existing `SilverLABS/SilverVPN` Linux client + tunnel service preinstalled, always-on default; kill-switch verified |
| 1.8 | SilverSync v1 integrated (Nextcloud backbone, client-side encryption) | Contacts/calendar/files sync end-to-end; server cannot read content |
| 1.9 | Update server + signing ceremony complete | First signed update delivered through alpha channel; rollback verified |
| 1.10 | Public alpha ISO + SBOM + build attestation published | Download page live; reproducible-build instructions documented |
@@ -45,64 +48,74 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
| # | Milestone | Done when |
|---|---|---|
| 1.1.1 | SilverChat v1 (Matrix-based) | Homeserver running; iOS/Android/Linux/Windows/Mac clients functional; account-number onboarding |
| 1.1.2 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.3 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.4 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
| 1.1.1 | SilverChat v1 — alignment review | Decide whether to pull `SilverVPN.Client.Chat` in, fork it, or scope SilverChat as a separate effort. Outcome documented in `docs/decisions/` |
| 1.1.2 | SilverChat v1 client + homeserver | Cross-platform clients functional; account-number onboarding |
| 1.1.3 | SilverDuress v1 | Linux PAM module + Android duress PIN + iOS Shortcuts/MDM trigger + Windows Group Policy + macOS profile — all verified |
| 1.1.4 | SilverKeys v1 | Bitwarden-derived client + SilverSync backend; per-platform clients |
| 1.1.5 | Atomic root experiment | ostree-based variant builds; v1.2 candidate if successful |
---
## Phase 2 — SilverMetal Droid
## Phase 2 — SilverMetal OS — Droid (Pixel + Samsung + Motorola)
**Goal**: ship Android coverage across all four tiers (Pixel flagship, Samsung, Motorola, generic profile).
**Goal**: ship the three ROM-level Android tiers.
| # | Milestone | Done when |
|---|---|---|
| 2.1 | Pixel flagship ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | Samsung tier (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | Motorola tier (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Generic Android profile | "Harden my Android" installer: Stack apps + work-profile hardening config; works on Android 13+ |
| 2.5 | Android hardware SKU pilot | Pixel preflashed batch (10 units) + Moto preflashed batch (10 units) |
| 2.1 | OS — Pixel ROM (GrapheneOS-fork) | Builds, signs, OTA-updates from our infrastructure; Stack preinstalled; verified boot rooted in our key |
| 2.2 | OS — Samsung (LineageOS-fork on unlocked-bootloader models) | Supported model list published; ROM + Stack overlay |
| 2.3 | OS — Motorola (DivestOS/LineageOS) | Supported model list published; ROM + Stack overlay |
| 2.4 | Pixel preflashed pilot | 10 preflashed units shipped |
| 2.5 | Motorola preflashed pilot | 10 preflashed units shipped |
---
## Phase 3 — SilverMetal Windows
## Phase 3 — SilverMetal Enhanced (the four hardening packages)
**Goal**: ship the Windows hardening installer for users locked into Windows.
**Goal**: ship Enhanced packages for Windows, macOS, iOS, and generic Android.
The four Enhanced flavours can be developed largely in parallel since they share the SilverLABS Stack and don't depend on each other.
### 3W — Enhanced — Windows
| # | Milestone | Done when |
|---|---|---|
| 3.1 | LTSC IoT base evaluated and licensed for our use | License path documented; base image acquired |
| 3.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3.3 | Stack ports for Windows | SilverBrowser/VPN/Sync/etc. native Windows builds, signed with our cert |
| 3.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + SilverMetal hardening (10 units) |
| 3.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimal Microsoft contact, documented (we cannot reach zero on Windows; we publish what remains) |
---
## Phase 4 — Apple platforms (macOS + iOS profiles)
**Goal**: ship signed configuration profiles, setup scripts, curated app guidance, and Stack ports for Apple platforms.
| 3W.1 | LTSC IoT base licensed and acquired | License path documented |
| 3W.2 | Hardening installer (PowerShell/EXE) | Applies Group Policy, AppLocker, Defender ASR, removes Edge/Cortana/Store, blocks telemetry hosts |
| 3W.3 | Stack ports for Windows | SilverBrowser/Sync/etc. native Windows builds, signed with our cert. SilverVPN MAUI Windows client integrated |
| 3W.4 | BitLocker + TPM enforcement automated | Installer ensures BitLocker enabled with TPM-bound recovery |
| 3W.5 | Windows hardware SKU pilot | Preflashed Coreboot-laptop variant with Windows + Enhanced (10 units) |
| 3W.6 | Telemetry-leak test for Windows | 30-min idle on hardened install — minimum-feasible Microsoft contact, documented |
### 3M — Enhanced — macOS
| # | Milestone | Done when |
|---|---|---|
| 4.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 4.2 | macOS setup script | Idempotent script applies non-MDM hardening (default app changes, etc.) |
| 4.3 | Stack ports for macOS | Universal binaries, notarised, signed with our Apple Developer cert |
| 4.4 | iOS MDM profile | Signed `.mobileconfig` for users with personal MDM (or via free Apple Configurator) |
| 4.5 | Stack ports for iOS | App Store releases (Browser may face Apple review constraints — fall back to webkit-based with our defaults) |
| 4.6 | Apple setup guide | Step-by-step published guide complementing the profiles |
| 3M.1 | macOS configuration profile | Signed `.mobileconfig` enforces FileVault, disables analytics/Siri, configures firewall |
| 3M.2 | macOS setup script | Idempotent script applies non-MDM hardening |
| 3M.3 | Stack ports for macOS | Universal binaries, notarised, signed |
### 3I — Enhanced — iOS (supersedes SilverApple)
| # | Milestone | Done when |
|---|---|---|
| 3I.1 | Migrate / fold any usable assets from `SilverLABS/SilverApple` | Inventory of SilverApple done; reusable parts moved into `ios/`; SilverApple repo archived |
| 3I.2 | iOS MDM profile | Signed `.mobileconfig` for personal MDM or Apple Configurator |
| 3I.3 | Stack ports for iOS | App Store releases (Browser may face Apple WebKit constraints — fall back if needed) |
| 3I.4 | Apple setup guide | Step-by-step published guide complementing the profiles |
### 3A — Enhanced — Android (generic)
| # | Milestone | Done when |
|---|---|---|
| 3A.1 | Generic Android profile installer | "Harden my Android" — Stack apps + work-profile hardening config |
| 3A.2 | Compatibility test matrix | Runs cleanly on Android 13+ across Samsung locked, OnePlus, Xiaomi, OEMs we don't have ROMs for |
---
## Phase 5 — Hardening / immutability / Tor sibling
## Phase 4 — Hardening / immutability / Tor sibling
**Goal**: post-MVP improvements; not blocking earlier phases.
- Atomic / immutable Linux variant (ostree)
- dm-verity-protected `/`
- Tor-by-default sibling product (SilverMetal Onion or similar)
- Tor-by-default sibling product
- ARM64 / Apple Silicon Linux variant
- Coreboot tooling improvements / additional reference hardware
@@ -110,15 +123,13 @@ Milestone-driven, no calendar dates (those slip; milestone gates don't). Each mi
## Cross-cutting workstreams (always-on)
These run in parallel with phases:
- **Security advisories** — vulnerability response process from Phase 1.10 onward; signed advisories
- **External audits** — annual or per-major-release third-party security review
- **Security advisories** — vulnerability response process from Phase 1.10 onward
- **External audits** — annual or per-major-release third-party review
- **Documentation** — every phase's gate includes documentation update
- **Community / support** — issue tracker, support channels, response SLOs
## Phase entry/exit philosophy
- We do not start a phase until the previous one's exit criteria are met
- We *can* run cross-cutting workstreams in parallel
- Cross-cutting workstreams run in parallel
- A failing verification gate blocks the phase, full stop — no shipping with known regressions