At least some parts of the french government seem to be moving towards Linux (NixOS):
From what I understand they’ll be basing it off GitHub - cloud-gouv/securix: Sécurix is a NixOS-based secure operating system tailored for small to medium-sized teams. It provides a minimal, hardened environment with strong isolation, reproducibility, and policy-driven configurations to ensure operational security and compliance. · GitHub
Interesting! I had heard they were “moving to Linux”, but I didn’t know anything more specific than that. I haven’t used NixOS personally, but I think it might be a good choice. The atomic updates are, at least based on my experience with Fedora Atomic, a really nice boost to stability and ease-of-use.
I have heard some people voice fears that if governments start using Linux, they’ll want to exert more control over it. While I can understand where those fears are coming from, I’d like to think that this will ultimately be a good thing for Linux, bringing more contributors, funding, and programs with dedicated support.
Does this point to NixOS as being the answer to a more secure linux?
More secure relative to what? I don’t think NixOS is comparable to Secureblue (though I wouldn’t really know, I’m just speculating). I think it may be seen as more secure than something like Fedora Atomic because of the sandboxed “everything is built from source” approach to packages, which makes everything reproducible (at least, if I’m understanding our own description of NixOS correctly Desktop/PC - Privacy Guides). Other than that, though, I think they probably wanted to avoid Secureblue due to fears of it having more breakage and/or being harder to use. All speculation on my part, though.
(post deleted by author)
I saw this yesterday and got pretty excited about it. It seems to me like this should attract more resources and developers to improving the Linux environment. What’s especially exciting in my opinion is the chance that France may contribute to hardening and improving the kernel itself, where a lot of the security vulnerabilities reside. There’s also a chance that other govs would follow, furthering that trend. I don’t fully understand nix, but I am curious why they wouldn’t just build their own packages and repo and use a more mainstream distro? Maybe nix really is that great?
Reproducible builds are hard to get right, as I understand it. Since NixOS seems to have it figured out already, and it makes sense to use what already works. It also has the benefit of being atomic, which, as I said, comes with stability and ease-of-use improvements, but I can also imagine makes it easier to maintain a “fleet” of systems as a systems administrator.
Curious selection, “strong isolation”, without a mandatory access control that you can update profiles globally? 