Tags

v1.0.0

v1.0.0 — basef: a signed, earned, FROM-scratch Fedora bootc base

basef composes Fedora bootc base images FROM-scratch via rpm-ostree
compose rootfs — no inherited bootc parent — with source-built OpenZFS
and NVIDIA kernel modules. This is the first release: the foundation is
hardened, every operation is annotated against its upstream reason, and
two properties that were aspirational at the start are now real.

:stable is earned, not labelled. Every candidate image boots in a
nested-KVM smoke gate — bootc status, initramfs integrity, a clean
journal, ZFS + NVIDIA module load, and the module signer — before the
tag moves. A failed boot freezes :stable and the instance cascade never
fires. The gate has already frozen a real regression before it reached
a host.

The kernel modules are signed. Every zfs/spl/nvidia module is MOK-signed
at build under CN=immutable.dunn.dev; the certificate is baked into the
image and published at https://immutable.dunn.dev/keys, so a host can run
the source-built stack under Secure Boot after a one-time enrolment.

Built FROM-scratch on Fedora 44, no kernel pin, no DKMS, composefs
immutable root. Built for one homelab; published openly as reference.
The build path is forkable; the host deployments are not.

Validated on the carmine nested-KVM fast-loop and the crucible CI smoke
gate — including a full anaconda/kickstart/LUKS install rehearsal — never
assumed. See CHANGELOG.md for the detailed record.