SysAdmin
1b1a1eabed
Run #4282's enriched diagnostic pinpointed the exact remaining drift: diagnose: first ISO byte difference at offset 205152 (LBA 100) 205153 7 10 205154 27 0 205155 57 3 205156 52 55 Decoded as decimal, those are the day/hour/minute/second fields of an ISO9660 7-byte directory record date: A: dd=7 hh=23 mm=47 ss=42 (May 7 23:47:42 UTC) B: dd=8 hh=0 mm=3 ss=45 (May 8 00:03:45 UTC) Match the wall-clock mtime of /live/filesystem.squashfs that the TOC diff also still showed: -/live/filesystem.squashfs ... May 7 23:47 +/live/filesystem.squashfs ... May 8 00:03 Why iter34's `-alter_date_r all "=N" /` didn't catch it: xorriso applies `-alter_date_r` to the in-memory ISO node table, but `-update <src> <iso_path>` writes the directory record's mtime at `-commit` time using the SOURCE FILE's mtime — overriding whatever was in the node table. So the relevant mtime is on `/tmp/silvermetal-rebuilt- XXXXXX.squashfs` (the freshly-`mksquashfs`d file), and that has wall-clock mtime. Fix: touch the source file to SOURCE_DATE_EPOCH right before xorriso reads it. sudo touch -d "@${SOURCE_DATE_EPOCH}" "${new_sqfs}" Bonus: diagnose-divergence.sh now falls back to `od -t x1z` when xxd isn't available — silvermetal-builder ships coreutils but not vim-common, so the iter34 xxd window was silently empty. The new od-based dump is what landed the actual byte values in run #4282. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
SilverMetal OS — Linux
Status: Phase 1 (planning) → moving to milestone 1.1 (reproducible Kicksecure fork build)
🔒 SilverMetal OS product line — we ship the operating system.
The reference SilverMetal flavour. Tier A — full kernel-level hardening, verified boot we control, Debian/Kicksecure-based.
Scope (v1)
See ../docs/roadmap.md Phase 1.
Hardening must-haves
- Kicksecure base (Debian-derived, hardened upstream)
- linux-hardened kernel + KSPP sysctl/build flags
- Secure Boot with our shim/MOK
- TPM2 PCR-bound LUKS2 unlock (Argon2id), full-disk encryption mandatory
- AppArmor strict profiles for browsers, mail, viewers, networked daemons
- GrapheneOS hardened_malloc as system allocator
- bubblewrap + Flatpak primary; firejail for legacy
.deb - nftables default-deny inbound, encrypted DNS, SilverVPN always-on default
- Zero upstream telemetry — verified by integration test
- SilverBrowser default (ungoogled-chromium-rebranded v1)
- SilverVPN integrated from existing
SilverLABS/SilverVPN(Linux client + tunnel service) - SilverSync v1 (Nextcloud-backed, client-side encryption)
- A/B updates with rollback, signed by our keys
- Optional amnesic session mode
Out of scope (v1)
- Atomic / immutable root (v1.1 —
ostreeexperiment) - dm-verity on
/(v1.1) - ARM64 / Apple Silicon (v2)
- Tor-by-default variant (sibling product later)
Directory layout
linux/
├── build/ # live-build pipeline, reproducible-build config
├── kernel/ # config fragments, linux-hardened pinning
├── overlay/ # /etc + /usr/share/silvermetal + skel hardening overlay
├── packages/
│ ├── include.list # what's installed
│ └── exclude.list # what's purged (snap, telemetry, etc.)
├── apparmor/ # custom strict profiles
├── nftables/ # default ruleset
├── installer/ # Calamares branding + hardened defaults
├── update-server/ # signing + repo hosting (infra-as-code)
└── tests/
├── lynis-baseline/
├── kspp-check/
└── telemetry-leak/
Verification gates (must pass before public alpha)
- Two clean builds from same commit → identical SHA256
kconfig-hardened-checkpasses- Lynis hardening score ≥ 90
- 30-min idle telemetry capture: zero packets to MS/Google/Apple/Mozilla/Canonical/Debian/analytics
- TPM tamper test: LUKS correctly falls back to passphrase
- AppArmor: every networked binary confined or documented
- Independent privacy-engineering review
Upstream we depend on
- Kicksecure — fork base
- linux-hardened — kernel patchset
- GrapheneOS hardened_malloc — allocator
- KSPP — kernel config authority
- secureblue — reference for v1.1 immutable design
SilverLABS/SilverVPN— VPN client + tunnel service (existing, integrated)