Check this box to affirm you have no conflict of interest.
on
Website
Short description
@SkewedZeppelin 's configuration toolkit that can increase security and allow one to quickly install certain apps
Why I think this tool should be added
On Fedora Atomic, Brace has some overlap with secureblue’s configurations. However, unlike secureblue, Brace isn’t limited to just Fedora Atomic. It seems to be available on every PG recommended distro.
(I’ve also been schooled on Brace multiple times so I can really see its usefulness )
What applications does Brace install for you? I haven’t had a close look at the repo yet, but it seems like it installs a hardened version of Chromium?
I’d love any testimony from your experiences using it, if applicable.
I personally find that Brace’s applications are less important than the configurations. But Brace does help install stuff like Tor Browser without having to compile it from source or use the Tor Browser Installer, which is useful.
Hello, I know the question wasn’t directed at me, but I want to share my experience.
I’ll put here the direct link to the program package, to facilitate the discussion:
What can I say?
When I used this Brace Toolkit, as mentioned by the other member, it only installs the settings you expect.
To install the recommended programs you have to run a command built into toolkit.
Once you’ve done that, it will give you suggestions:
INFO: This script is intended for use on desktop machines, not servers!
INFO: This script is geared towards personal use and some packages may not be appropiate for business systems!
Would you like to simply install all recommended packages?
“Yes” “No”
What new, or different, experience did I get from using the command?
I chose to install the apps category by category and discovered Tor Browser Launcher!
Being related to Tor Browser, I went to see if it was safe. Then I discovered (rediscovered) the author Micah Lee!
Until then, even though I’d seen his name in other places, I hadn’t recognized it or given it due importance. Today I read his blog and remember his apps, thinking about demonstrations, human rights, etc.
Anyway, my experience is that I discovered some cool new apps, which I installed for “fun” and “discovery”, uninstalled most of them, and used a few while I was on Linux, until I went back to Windows.
@SkewedZeppelin Please let me know if you would prefer me to ask this elsewhere, but are there any plans for adding in Brace the option to replace GNU utils with uutils, sudo with sudo-rs, bash with fish shell, and sysctl with systeroid? I was considering opening up a topic to ask PG to suggest these replacements in the Linux Overview, but if Brace would be able to install them, PG recommending Brace would already do that.
I like Phoenix, I mean, some stuff annoys me sometimes, but it’s more due to BadBlock than anything, arkenfox is just like a simple base that requires the user to know more about security, e.g. you should disable Firefox’s password manager in favor of your own, whereas Phoenix makes these decisions the default for you. Having both brace and Phoenix collides though, I end up removing it from the build.
The surrounding ecosystem though, with real-ucode and firejail builds though, is quite nice, real-ucode is a real lifesaver. Tavi themselves told me to run dmesg | grep microcodeand that showed me my processor was vulnerable. Installing it solved it, always recommend updating your firmware though. This is something Secureblue doesn’t try to solve.
Some notable things to me that Brace fixes for example are: blocks unauthenticated installs/removals with PackageKit on Fedora, enables opportunistic DoT, enables IPv6 privacy extensions (disabled on Fedora! as if it was a server or something! bad), uses NTS for secure time (helps with the use of time in TLS), MAC randomization in networking… All missing in the recommended by everyone Fedora.
Hi everyone, especially @SkewedZeppelin, thank you for creating Brace, it is very useful. Also, I would love to get feedback from Brace users. I’m not technical, so please excuse me if these questions seem basic.
I am interested in using Firefox with ArkenFox via Brace on my Fedora GNOME system for better privacy and fingerprint protection, but I want some usability tweaks. Here are my ideas and questions:
ArkenFox “braced” as an upgrade? Does Brace’s modified ArkenFox/Firefox act as an enhanced version of plain ArkenFox? Is its goal to match or replace the Mullvad Browser in terms of privacy/fingerprint protection? How does it compare to the original ArkenFox in terms of protections (e.g., same base settings)? For advanced fingerprinting protection, I already use the Mullvad Browser, so I don’t see much advantage in using Firefox with Brace’s default setup.
I’d love to use ArkenFox braced, but I would adjust a few things for daily use, like:
Setting RFP privacy.resistFingerprinting to false (for dark mode support).
Setting privacy.resistFingerprinting.letterboxing to false (for max screen resolution).
Setting javascript.options.wasm to true.
I know this weakens fingerprinting resistance. It seems counterintuitive to tweak a hardened setup just to make it practical for daily use. Would it be better to use standard Firefox with the recommended configuration + uBlock Origin, or even Brave (which I’m not a big fan of)? What would be the minimum level of protection I would still have?
With Brace’s ArkenFox, it seems impossible to add extensions or new languages via Firefox UI (tested a few). Is this by design? How do I safely add something like a language pack without compromising security? Is it through user-overrides.js or something similar?
Overall, Brace seems ideal for folks like me who can’t manually configure ArkenFox, and I really appreciate its combination of Firefox hardening with other good tools. Any tips for my Fedora setup? Thanks!
Phoenix’s JIT settings seem a bit more mature: Making sure you're not a bot! there’s a few more flags being messed with than the ones in arkenfox+brace and an important note about WASM requiring JIT
I could understand this if it excluded password managers, you can’t even install Bitwarden or KeePass: brace/usr/lib/firefox/distribution/policies.json · master · Divested Computing Group / Brace · GitLab which to me is more likely to allow for phishing attacks, as now the user has to copy passwords and paste them in, and so the basic URL checks provided by a password manager is lost; also the support for manager passkeys are lost, not only that but now they’re passing through the boundary of the desktop instead of staying somewhat contained into the browser, and other apps can read that password from the clipboard, which isn’t secure in desktop environments
if unconfined, the number of ways a desktop app can spy on the user is infinite. If the clipboard specifically is a concern, you can always use autotype functionality.
)