you are definitely not being aggressive mate 
I just wanna know, why is trusting System76 a bad idea? I mean, they are among the few companies that disabled intel ME, that to me means that they are pretty reliable.
System76 is working on their new Cosmic Os, until then I agree they are using ubuntu 22.04 version, but they are still issuing security updates regularly
I agree that rolling releases are better. I use Fedora myself.
Regarding the difference between an LTS and a point release, I was thinking of Ubuntu when I said that.
For example, here are the release notes for the December 2024 release which will be supported for 9 months.
For Ubuntu, an LTS is a version that will be supported for a few years. The versions in between those LTS versions, which can include some security patches and bug fixes, are sometimes called point releases.
I think it’s just different terminology causing confusion, but we both agree that a distro with regular security updates is a good thing.
A copypasta from a troll account that got deleted. Shouldn’t be shared.
It is to decrease one’s attack surface.
Fedora is not rolling release.
Disabling Intel ME is not a good idea, because it also disables security features.
Welcome to the community!
I’ve been researching this exact issue and in general this is the problem I kept running into:
The more secure the OS, the less Apps it will run and the less functionality it’ll have.
Is there any reason why you chose OpenBSD instead of FreeBSD? I thought FreeBSD would have more Apps available and a much bigger community when you need support?
Thanks for the interest! I’m more active in the matrix server, but I love the forums too!
I mainly chose OpenBSD because of my familiarity with it, and because of my relatively small use cases. As @Karlson pointed out, virtualization could suit my needs more, so that is basically the only thing I need an operating system to do. I was wondering if OpenBSD could do this task performant and securely, but I understand there are many other operating systems that could do it to a similar or more secure level. Thank you so much!
FreeBSD is awesome man. It’s even used by Netflix: Netflix operates on FreeBSD servers equipped with AMD Epyc CPUs and achieves roughly 400 Gbit/s per server.
It’s such a shame Netflix doesn’t support customers running FreeBSD as their client!
Aeon or secureblue.
I have no idea why Kicksecure is recommended, that recommendation shouldn’t be there in the first place. As for Whonix, it’s the best OS for anonymity, that’s why it’s recommended.
For people saying that secureblue is one guy’s project, go and actually take a look at their GitHub and Discord.
Arch + apparmor and bubblejail
Non-sequitor. Perhaps they are reliable at disabling Intel ME, but that does not mean they are reliably secure.
It’s been discussed on this forum, but disabling Intel ME likely compromises security and system stability of the overall machine to secure against Intel ME being rogue. For non-world class threat models, it’s not recommended. Even at that point, there are likely better steps to take before thinking at that level.
Several steps prior to even consider disabling Intel ME would be to install Coreboot, and I’m not sure if their systems explicitly support that.
Why is Kicksecure not good?
It’s based on Debian and recently downgraded its security by stopping using hardened_malloc and pretending that this is somehow a good decision.
Whonix has given many reasons for deprecating hardened malloc by default for all users. They make a lot of sense to me.
http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Hardened_Malloc#Deprecation_in_Kicksecure
Reasons:
- Not stable enough: Through testing and integration development in Kicksecure, the unresolveable #Issues being found, it has been determined that it will never be stable enough to be suitable for installation by default for all users.
- Unclear Benefit: See chapter #Tickets and Discussions. Whenever it has been suggested to other projects to port to Hardened Malloc (HM), it did not get favorable reviews from other developers.
- Lack of outreach by upstream: Upstream mentioned that others do not understand HM but also does not have time to engage with them.
- Potential future deprecation by upstream: Upstream contemplated deprecation of Hardened Malloc support for usage outside of a Android / GrapheneOS context.
- Security issues? No. Users can keep using Hardened Malloc (Default) or Hardened Malloc Light until the next major release (Kicksecure version 18) but it will be unsupported.
- Architecture support: Limited. (HM supports AMD64 architecture only, which makes Kicksecure progress towards multiple architecture support such as ARM64 and PPC harder.)
- Future: Is there any chance this package will get unarchived, maintained again in Kicksecure? No.
- Forum discussion: Hardened Malloc - Hardened Memory Allocator - #231 by Patrick - Development - Whonix Forum
There is documentation on how to install it manually anyways if you still want it. It is free software with no user freedom restrictions, so you can make your own custom version if you want.
http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Hardened_Malloc/Manual_Installation
It is good. Here is a relevant post from the lead developer.
http://forums.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/t/grapheneos-attacks-kicksecure-what-should-the-response-be/739/6