I’m considering switching from Arch Linux (specifically CachyOS) to Fedora Silverblue, and I’m curious to hear thoughts from people who have experience with immutable systems and care about privacy and security.
As a developer, I rely heavily on Neovim and Doom Emacs for my workflow. I keep most of my config in the .config directory and I have a custom setup for dotfiles that I replicate across machines. I also prefer to have a relatively lean system with tools I can trust.
What are the real benefits of switching to Silverblue from a privacy and security standpoint? I understand the idea behind immutability and how ostree works, but I’m wondering how that plays out in day-to-day development tasks. Will I run into issues with package availability or software that doesn’t play well in Flatpak or Toolbox? Are there any major changes in how dotfiles are handled in Silverblue compared to a traditional system?
How does the developer experience hold up when using things like language servers, compilers, and debugging tools? Does everything integrate smoothly, or are workarounds needed?
Basically: why should I switch, and what pain points should I expect? I’m willing to adapt if the long-term benefits are clear, but I’d love to hear from others who’ve gone down this path.
Lately I’ve been leaning towards staying on regular Fedora Workstation. I considered many times to try Secureblue but for my use case and treat model it doesn’t bring that much advantages.
I really liked the idea of Silverblue but it is such a pain to use because not everything I use is available in the rpmostree and rebooting during each update of each .rpm package I have installed is a genuine pain I thought I could power through but it is really annoying and I just gave up and went back to regular Fedora.
I partly blame Proton for not having official flatpaks, but I’d rather have them not support it than have its security executed in a half-assed fasion.
I daily drive Silverblue and have found little issue with it. I do however harden the system a bit further with brace, firewalld and selinux. With the proper steps it becomes a fairly secure system that is much better than stock, closer to Secureblue’s implementations while maintain a bit more useability.
As a side note if you are not using brace on Arch you probably should! SkewedZeppelin could explain the use case much better than I.
Enable Kernel hardening using mitigations=auto, slab_nomerge, slub_debug=FZ, page_alloc.shuffle=1, randomize_kstack_offset=on
Flatseal is great to control flatpak permissions
Brace MAC address randomization, IPv6 privacy, and fingerprint reduction
Brace Sysctl hardening is a must
Atomic distro is read-only root
If you want a really top tier solution SecureBlue is the best but since i found it to hamper some of my daily activities negatively, I needed to find a better solution and I think Silveblue with extra hardening is the way to go.
These are available within the rpm-ostree and seem to be supported without issue. After hardening you will want custom SELinux policies to mitigate possible extension denial.
To me, the killer feature of Silverblue and the Fedora Atomics is safe automatic updates. When enabled, your new deployments get downloaded and prepared in the background, and when you next reboot they are active. If there’s any issues, you can just rollback to your previous deployment, or rebase to an older version. You can also swap desktop environments with ease.
I used Silverblue and Fedora Atomics a lot these past years, but now I favor NixOS. I view NixOS as more akin to Arch linux: you configure and specify exactly which software to include in your machine. It’s also harder to learn, but once you get the hang of it it’s really powerful. And the software repos are incredible: over 100,000 packages. Basically, if it’s FOSS, it’s probably there.
I only play one game that is Guild Wars 2. Normally I’d play in Lutris but fine on steam, at least on Arch. I may give it a try on SecureBlue and see if it works well.
See this I did not know. Glad you pointed it out