They aren’t required to be, but even then, macOS at least has a robust permission model for sensitive permissions, even if it doesn’t come close to Android / iOS. It far exceeds what is available and likely what will be available on desktop Linux for at least for the next decade.
Qube’s is among the most secure Linux desktop OS. The problem is the Linux guests which are still chronically insecure.
The most secure Linux besides Android (if you want to count that) is without a doubt ChromeOS. Functionality and especially privacy wise though it is of course far from a good choice.
What I said was that secureblue is preferable to workstation (and atomic for that matter).
That doesn’t mean that you’ll “have security” with secureblue. Security isn’t a switch you can turn on and off.
Frankly, if security is your priority you shouldn’t be using desktop linux at all. secureblue is for people whose first priority is using desktop linux, and second priority is security.
I mean, there are many ways to reduce kernel attack surface. It’s surely not as good as whatever Android does but it’s not broken (which is great), and Gentoo users can compile their entire OS with hardened flags to further improve security.
Lack of verified boot is a problem, but we’ll get there. Plus, it’s not nearly as important as application confinement (which is already in a good state).
I am considering installing Fedora 41 Silverblue I use Fedora 41 right now but I would love to hear what other says about the Silverblue privacy & security
Personally i haven’t used Fedora Silverblue outside of a few short tests. RPM-Ostree is a learning curve i have yet to tackle. So i’ve stuck with fedora workstation for the last few years.
As for hardening Sliverblue i believe the best (beginner approachable) way to harden Silverblue is to morph a Silverblue install into a Secureblue i stall.
Only problem with Linux is that the open source model means that many applications are maintained by developers who sometimes don’t have the resources of a Google or Apple or Microsoft to keep them updated. Some apps are not updated frequently. They are labors of love by underpaid developers doing the best they can.
Some people say open-source is always better than closed source, but that would be true only if they are both maintained the same way. Contrary to what some will say, the big tech companies don’t want a hacking scandal and do spend millions on security. Granted their privacy policies are suspect, but I wouldn’t exactly call Apple’s security posture a joke.
Linux is great, but be realistic about what you’re using and if/how it’s maintained.
Whether that is a problem or not depends on the program. If it’s offline-only, it’s perfectly safe to run it even if unmaintained and vulnerable as long as it runs unprivileged and sandboxed.
Some people promote Mac (or even Windows) over desktop Linux because they implement better security features and exploit mitigations. I think there could be valid use cases for preferring Mac over desktop Linux, but I also think a lot of the “anti-Linux” proponents take it way too far. Some go so far as to say that desktop Linux must be avoided at all cost, implying your security will be compromised if you use Linux.
While desktop Linux (excluding ChromeOS) is fairly small, there are still many millions (or tens or hundreds of millions?) of desktop Linux users. There is no epidemic where desktop Linux users are getting infected and hacked, certainly not more often than Windows users. To be fair, this is at least in part because desktop Linux has a much smaller market share and cyber criminals are less likely to target it. There could be other factors too, like the fact that most Linux users are meant to install applications from an app store rather than trying to search the web for an executable file.
I’ve seen friends, family, and myself easily get infected on Windows before, but never on Linux. Until we start seeing that change, desktop Linux (especially less bad distros) should be good enough for the average person for now. That being said, depending on your irrelevance for your security is a terrible situation to be in. It is extremely important that developers improve the security of desktop Linux to at least match what is offered by its more mainstream competitors, especially now that it is gradually becoming a more popular option and therefore more appealing to cyber criminals.
You made that entire long post without a single good argument for your case. It’s just quite a lot of name calling and sarcasm. Also guilt tripping people that upvoted my comment. The strongest argument you have is that “a lot of people swear by GrapheneOS” which means absolutely nothing. That Debian LTS part was also really weird and pretty much a strawman. Half of the post is just you arguing with yourself and calling names.
Oh, and it was quite interesting to say that I outsource trust while in the next sentence doing that yourself with “why so many entities say GrapheneOS is secure”
Apologies for butting in, but I don’t think their intention was to criticize GOS itself but rather people who simply take whatever is said by them as absolute truth. Just because -very smart person- said something doesn’t make it true, even more so when missing context.
Take for instance the thread about filesystems, where someone claimed ext4 was insecure simply because some GOS developer said so, while completely disregarding what they meant by this.
While GOS is a great project and sets a high bar when it comes to security, it doesn’t mean that everything that is below their standards is complete garbage, which is what many people who “swear by GOS” think, and assume their threat model applies to everyone else. Sure there are “FOSS cultists” but there are many “GOS cultists” too.
