Yeah, it seems that they even acknowledge that Tor and Mullvad are better for extreme threat models.

"The only browsers that can provide sophisticated fingerprinting protection against advanced scripts are Tor Browser & Mullvad Browser.

If you have an extreme threat model (Ex. Political dissident, journalist, or if you are in some other kind of high risk situation), please use one of those browsers."

I suppose we’d have to commend them for being fair.

Unfortunately, I’ve yet to experience Qubes OS myself. So I can’t help you with that. Wish ya the best of luck though!

I hope at least the earlier problems with distrobox have been solved.

Is your intention to go in the direction of Qubes OS with extra steps?

Yo OP, did it work out in the end?

Thanks a ton for the elaborate answer!

I’ve moved to cachy OS mainly because I needed to get certain things working that were only packaged in appimage

Hmm…, I’m aware that the AppImage situation is pretty dire since it requires FUSE 2 libs while everyone and their grandmothers have moved to FUSE 3; software that’s been almost out for a decade now. Thankfully, I’ve never actually experienced trouble getting it to work on any distro. Sure, installing some libs was often required, but nothing too fancy.

BUT I believe I could have worked it out in Aeon by fiddling around with distrobox

FWIW, I’m 100% positive that you could get it to work on Aeon. IIRC, I’ve also used AppImages through distrobox containers.

I think once there is a mature wayland-based Openbox replacement

Interesting. If it isn’t too much of a trouble, could you pitch Openbox :P for me? I’m not too familiar with it, but you did get me curious.

(eyes on labwc)

Put into my backlog of stuff I’ve got to checkout.

I was hoping that this reply wasn’t needed 😅. In all fairness, some of the replies found on ycombinator definitely offer legitimate criticism. However, secureblue’s dev team didn’t just ignore all of that as they can be found discussing on the very same thread. Since then, they’ve actually implemented changes addressing these concerns. For example:

Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege. And flatpak is a lot of attack surface no matter how you run it, and the packages have a bad security reputation.

This was raised as a good objection to some of its design choices. This eventually lead secureblue’s dev team to maintain twice as many images for the sake of offering images in which this was handled differently. And it didn’t stop there, it has continued to output a lot of work addressing concerns both found on that thread and outside of it. Consider looking into its commit history. Heck, even some of the GrapheneOS-people have provided feedback on the project.

Of course, no one dares to claim it comes close to Qubes OS’ security model. Nor is this within scope of the project. However, apart from that, I fail to name anything that’s better. Kicksecure is cool, but they’ve deprecated Hardened Malloc; a security feature found on GrapheneOS and that has been heavily inspired by OpenBSD’s malloc design. By contrast, secureblue hasn’t abandoned it. Heck, it elevated its use by allowing it to be used with Flatpak; something that hasn’t been done on any other distro yet. This is just one example in which the secureblue dev team and its various contributors have shown to be very competent when it comes to implementing changes that improve security beyond trivial checkboxes.

Peeps may name other hardening projects. But fact of the matter is that I’m unaware of another hardened Linux project that’s quite as feature-rich:

• Tails; cool project that does wonderful work against protecting one against forensics. But that’s literally it. It’s not even meant as a daily driver.
• Whonix; developed somewhat together with Kicksecure, so this one actually has put in substantial work into hardening. But, again, not meant to be used as a daily driver.
• Nix-mineral; cool project, but it’s still alpha software by its own admission.
• Spectrum OS; great idea, but it’s not even out yet.

Please feel free to inform me if I’ve forgotten anything. So, basically, if you want a hardened daily driver for general computing, then one simply has to choose between Kicksecure and secureblue. I wish for both projects to flourish, but I’ve stuck with the latter for now.

Do you run Steam inside gamescope as well ?

Nope I don’t. But that’s because running Steam isn’t really a thing for me to begin with. I don’t own my games through Steam aside from a couple that are only accessible through it. Whenever I need to play those, I access those through another system; be it another distro or (God forbid) M$. For the games I’ve played on secureblue, none of them were owned through Steam. Hence, running Steam inside gamescope has not been something I had to do yet. Unsure, if it even works as supposed.

Does your setup support casks ?

I actually don’t know. It probably doesn’t, though. EDIT: Found the following within Bluefin’s documentation: “Note that the cask functionality in homebrew is MacOS specific and non functional in Bluefin, flatpak is used instead.”

That was a great read. Wonderfully detailed. Thank you!

It’s a pity that it went down like that. Would you say that a properly matured openSUSE Kalpa would be your perfect setup? Out of curiosity, have you used projects related to Fedora Atomic for long periods of time? If so, how would you compare them?

I’m glad to find that the general perception on CachyOS has definitely changed for the better. I believe it was two or three years ago when I stumbled upon CachyOS for the very first time. I don’t think it did anything noticeably different back then compared to now. But as it was still relatively new, people didn’t quite jump on the bandwagon. As such, I actually received quite a bit of condemnation whenever I tried to recommend the distro to others. I’m glad to see that it’s currently flourishing. Congratz to the CachyOS team for sticking to their guns. Whenever a product is good, it will eventually receive recognition.

I put it on my partners computer after Aeon crapped itself and put the system in a boot loop until I switched the hard disk out.

It is only release candidate software. As such, I didn’t have high expectations. However what you’ve described here is pretty troublesome. And I’d imagine your partner didn’t do crazy stuff that would justify such a reaction by the OS.

I’m personally very interested in the future of openSUSE Aeon. So far, I’ve mostly seen positive reactions. Therefore, a negative experience as such really piques my interest. If possible, could you elaborate upon what had transpired before the system broke? Or perhaps your partners personal experience with the distro in hindsight.

Try invoking ujust distrobox-assemble first. This command is also found on the FAQ page. Enter the container created through this method.

FYI, the userns images have been (or are about to be) deprecated.

Under the USERNS caption of the FAQ , there’s a link to another entry. In there, you may find the following command: ujust toggle-container-domain-userns-creation. After invoking this, distrobox should at least start working.

Do you use GNOME?

Yes, I do! I personally prefer GNOME over other DEs anyways, so I’m absolutely fine with that.

They disable GNOME extensions. Did you turn it back on?

They disable the installation of GNOME extensions by users. But, system-wide GNOME extensions are enabled by default. So, GNOME extensions that are found in Fedora’s repositories can be installed right out of the box. Thankfully, all my extension needs are taken care of within the extensions found in Fedora’s repositories. So, this doesn’t constitute a limitation for me. Curiously, I’ve actually installed extensions through this method ever since I recognized how the other way wasn’t remotely as secure. So this (relatively recent) change by secureblue to enforce it upon everyone (at least by default) came as a pleasant surprise.

Did you re-enable XWayland?

Nope. I initially had troubles with playing games through Wine. But I’ve learned how to use gamescope for that instead. Currently, I’m honestly unaware of anything I’d need XWayland for. Wayland development has definitely come a long way. And while I’m sure some systems and/or workflows don’t play nice with it yet, for myself (pure) Wayland is all I need.

Do you use bubblejail?

Currently, I don’t think I’ve got any use for it:

• The only layered packages are the aforementioned GNOME extensions. I’m unaware if bubblejail can be used to sandbox these. But I’ll look into it. Thanks for bringing this up!
• My GUI apps are taken care of by Flatpak. Which, AFAIK, utilizes bubblewrap already for its sandboxing.
• My CLI apps are taken care of by Linuxbrew. Perhaps these can be sandboxed using bubblejail, but I wouldn’t even know. Thanks for reminding me of this (potential) blindspot!

Also, I’ve heard about the dev(s) and community being a bit toxic, or at least not being a pleasure to collaborate with. But I can’t verify that.

FWIW, this hasn’t been my own experience. If anything, it may give of some “know-better”-vibes like one might recognize from engaging with some of GrapheneOS’ community members.

Does anybody in this sub using Fedora Secureblue?

I do. And have done so for almost a year now.

What is your opinion?

It’s pretty neat. Though, don’t expect to roll your way in without any troubles if you don’t take the effort to read its documentation. Fedora Atomic already does things its own way. However, secureblue, by virtue of its superior security standard, adds its own set of ‘rules’ that one should abide. Personally, I absolutely love how this is enforced. But I can understand why it might be a bit overwhelming for those new on the block. But I have personally helped introduce relative newbs to secureblue and they managed (with some help). So you should be fine; their community on Discord also has been pretty helpful in my experience.

So, if your first priority for your desktop operating system is for it to be Linux-based and your second priority is that it’s properly hardened, then you simply can’t go wrong with secureblue.

I was about to write a long piece comparing different security-focused systems, but I retracted for the sake of brevity. Please feel free to ask a specific comparison if you will.

I’ll keep it relatively brief for fearing unwieldiness.

I’m really not a fan of the “we can’t do anything so let’s sit and wait until everything gets worse” philosophy.

I agree. I hope you’re not implying I’m stating otherwise.

but it was accepted because it was the best thing available at the time for the purpose

More like Red Hat pushed it as the new standard and the rest followed suit. Distro maintainers are pragmatic and reasonable people. They’ll more often than not go for the path of least resistance.

A clear cut example of this would be how most distros don’t opt for btrfs in combination with time shift or snapper for snapshot functionality. So clearly, they are not really trying to offer the best solution. Instead they just try to push a system that’s as easy as they come for them to maintain and act accordingly.

the community needed a standard

And we already had one: SysVinit. Don’t try to rewrite history.

I initially started writing a reply on the remaining text but noticed that my writings were continued to be misunderstood. Therefore, I decided to retract any further reply and will choose to stop engaging in this conversation. Thank you for the engagement. However, I would like to offer a small piece of advice as a fellow Lemmy user:

In future conversations, whether they are debates or discussions, please try to understand what the other person is saying. Avoid creating a straw man argument. If needed, ask for clarifications to ensure you fully grasp their point. If you continue to have difficulty understanding, consider alternative approaches to gain a better understanding.

I don’t know how this conversation deteriorated, but I’ll let it be. Thank you once more. For the record, I don’t think this conversation will be productive moving forward. You seem to be focused on your own points without trying to understand the other side, which is fine. You don’t have to try to understand me; I may not be important. However, the ideas I try to convey might be, and it’s more important to consider and understand those.

Anyhow, I wish you the best.

I think I better understand you now. Btw, I had changed my previous reply moments before I read your reply. My bad*.

I meant that I support this distro as long as it’s not immutable because I’m an opponent of immutability on the desktop. If they’re also making other kinds of systems, immutability may be beneficial there.

Have you been around since before the introduction of systemd? Systemd’s introduction was a lot more invasive and threatening to ‘traditional’ distros than immutables are today. Distros changed to systemd over night. Only Arch and Debian had communities that succeeded in establishing systemd-less derivatives. By contrast, the interest for immutability in existing distros (almost always) means a parallel distro is created with (at least initially) immutability tacked on.

So, please correct me if I’m wrong, but I feel as if you’re being too aggressive/overreactive considering how nonthreatening immutable desktops are to traditional distros.

Sometimes innovation change is bad or rushed (such as removal of X11 on Fedora).

Fixed that for you 😉.

Often only people with the newest hardware can benefit from it anyways.

Fair, but as unfortunate as it is, that’s basically a consequence of consumerism. I don’t like it, don’t get me wrong.

They don’t care about regular users making the products worse for them which is basically egoism.

I don’t think this applies to Linux overall. Fedora (and Red Hat by extension) have a vision that made them default to Wayland by default. So you’d be right to blame their policy. But this is nothing new for Fedora; they’re known to push bold changes. You might not like it or disagree with them. Fine. But is it important enough to hate them for it? Isn’t life too short for that?

There is a reason for proprietary products having legacy support after all.

Are you implying that doesn’t apply to Linux? I don’t understand. On an open system like Linux is, this doesn’t really seem to hold much weight. You can swap stuff around as you see fit.

They claim to have a lot of features.

What features are you referring to?

As I understand it, it’s basically trying to answer the following question: What if we could start over and use existing building blocks to make a simple yet complete system using the Linux kernel? All changes have been made in accordance to that basic premise. From replacing GNU in GNU/Linux with BSD, to choosing dinit over systemd as init system.

I hope they succeed (as long as it’s not immutable)

Are you one of those with a raging hateboner towards everything immutable? I ask this as I don’t see any reason to bring this up in the first place.

FWIW, I absolutely hope for it to succeed as well. Innovation (of any kind) pushes the industry forward. When people oppose innovation for whatever reason, it always reminds me of Henry Ford’s famous quote: “If I had asked people what they wanted, they would have said faster horses.”

Sorry for late response.

Also didn’t know about secureblue

Yup. It’s a relatively new project and doesn’t try to be very newbie-friendly. Hence, will not be talked about commonly in threads. Rightfully so, as I’d argue exquisitely hardened systems simply have to prefer security over convenience.

But it’s definitely neat and had its fair share of users. As the folks over at GrapheneOS and Privacy Guides seem to be enthusiastic on it, I wouldn’t be surprised if it receives a new influx/stream of users once community members of GOS have launched a dedicated website on it (which is already in the works) and the peeps responsible for PG’s recommendations have finally included secureblue as their de facto Linux recommendation.

hopefully it can all work together

So do I 😊!

Thank you for the chitchat! I wish you the best!