My Linux Migration Considerations: Privacy, Security, and Convenience for a Beginner

Introduction:

I decided to post because, even though I did research, I could not find much information about the below. I hope this post ends in clarification that strengthens my, and potentially others’, understanding about Linux. Any piece of clarification is appreciated!

I placed key pieces of information and questions in bold for those wanting a concise, yet informative overview on my query.

Context, Distros & Issues:

I despise Windows 11 and wish to move away from it, and, as you know, some annoying features have, without my knowledge, been enabled by default. I disabled OneDrive sync once I was aware of this. I later found out Microsoft was willing to push out their terrible AI feature which was postponed due to backlash.

My goal is a migration to Linux, and I’m considering Fedora Workstation. (It fitted perfectly into my workflow when I tested it in a live session; I got used to the GNOME DE surprisingly - to me - in a few minutes.)

One question is Fedora Workstation doesn’t seem to be suitable for a Linux beginner like myself, especially after reading this post. In that case, what would be an adequate recommendation or is Fedora Workstation still fine? Someone spoke about openSUSE Aeon, which I tried to test, but had trouble booting a live session. However, openSUSE Aeon is still in “release candidate” stage, and the lack of document is unacceptable for my use-case, as someone said here. (I couldn’t have said it better myself.)

I would prefer to have activities, such as schoolwork, hobbies, and the like, done without worrying about my operating system. However, if I have to do some configuring or learning curve, by all means I will!

I dislike Ubuntu and Linux Mint since they seem to all have their share of cons I don’t want to accept. For example Linux Mint having Wayland in beta stage. In Ubuntu’s case, I tried to boot a live session, and it seems to have - in my opinion - completely ruined the GNOME DE; so that was the end of considering that, along with this post against Ubuntu. (I don’t want to come to another operating system just to de-bloat it like I did with Windows 11) Pop!_OS seemed interesting but this post stopped my entire consideration of it.

Threat Model & Examples:

My threat model is to avoid surveillance capitalism, mass surveillance, public exposure, and passive attacks without making extreme sacrifices to convenience. For instance, I do not want to use QubesOS since the tradeoff is substantial, especially after reading this post. Neither will I use something like KeepassXC. (Although I like their design over Bitwarden and Proton Pass.)

In summary, I want to have a balance of privacy, security, and convenience.

I have little to no reliance on “Big Tech”, except using Microsoft Word which I’m currently forced to use for school. Positively, for that situation, I’m convincing my teacher to accept more privacy-respecting alternatives to Microsoft Word.

Unfortunately, I rely heavily on using a HP Printer for scanning documents, again, for school. More specifically, a HP LaserJet MFP 234dw.

I briefly looked for any ways to mitigate this issue, and reliance on Windows, then came across Linux Mint being able to scan. (Apologies if your IP address is blocked.) I also found this concerning Fedora’s HP printer issues. I can’t seem to find anything about Fedora Workstation’s HP printer scanning capabilities though, which is my issue.

Another issue I have is understanding Linux sandboxing, and the best ways to install applications. I would greatly appreciate if someone directs me to a trustworthy source to answer all or the majority of my query.

Flatpaks, Sandboxing & Applications:

Are all flatpaks not safe? Most, if not all, are labelled as “Potentially Unsafe”. I also noticed that nearly all applications on Flathub, by default, have broad permissions, including verified ones. Please elucidate this to me, since I am quite new to Linux.

Apparently, Signal’s unofficial flatpak should be avoided. Others say that you could read and vet the manifest file. Although that would be an adequate solution, time is precious and I would rather spend my time on other various issues.

In addition to that, while it does make sense unofficial flatpaks should be avoided, what about verified applications like Notesnook? Does a verified flatpak that mean it is safe to use? I read this post, but it doesn’t seem to answer my questions very well.

I researched into whether I can install software from official sources and found out I could. Does that change anything? Is the sandboxing better? I believe MacOS has more robust sandboxing, permissions control, decent privacy, and convenience compared to other operating systems, and would be my go-to. If I am wrong, please feel free to clarify.

In addition to all that, flatpaks, by default, require broad permissions, like OnlyOffice, as an example, unless that is normal? I read that unofficial applications maintained by the community, such as flatpak Signal, may ship with malware or insecurities. Is a VM a viable option? If so, which VM would be fine? How do VMs work. I admit that I have no experience and little knowledge about them, which is why I am asking.

My concern with browsers on Linux stems from sandboxing. Furthermore, is Brave, or Chromium-based browsers in general, on Linux, a decent option? I have read somewhere - on this forum or Techlore Forums - that Firefox is the best browser for Linux. Is that true, and can I use Brave, or other browsers, from its official download, without worrying about it shipping a weakened sandbox?

Linux’s Security Issues:

I became very concerned about Linux security after reading this post. Apparently its apps sandboxing lags behind MacOS and Android. Neither does it have verified boot, but I assume Windows does not either, since it’s not mentioned on posts like this and this other. Nonetheless, Fedora seems to be aiming towards being as secure as MacOS.

Conclusion:

I genuinely thank you for reading this! I wrote this in Cryptee, and it took me roughly 4 days to compile, and was very exhausting to find information to backup my claims.

It takes longer than expected to boot from the USB stick, was that the case or did you experience a different issue?

It was quite quick to go to the installation menu. I used this USB flash drive which was bought for a bargain. (£19 for 256GB, RRP was £51, compared to £12 for 128GB. And yes, I’m in the UK.)

I don’t exactly know how to describe it, but I clicked on “…more” and went to “Boot from…”. (I can’t remember exactly what the name was, but it was the first option.)

After that, it said “Loading kernel” and I was concerned about breaking my system so I ended it there.

Around a few days later, I tried again and ended up on the home screen yet declined a prompt to install it, which ended the session.

So there wasn’t really any issues, you just stopped the installation.

Just a question: Is it like Ubuntu’s prompts that allows you to have two options, one for installing and the other for a live session, after a basic setup?

I was unfamiliar with it and wanted to take a minimum amount of risks, although that was - now that I think about it - not much of a risk.

It’s also because I do not want to purchase another laptop, as I purchased this one in the middle of 2023, and if anything wrong happens, such as accidentally installing a Linux distribution I am only testing.

Aeon is designed to be run on bare metal, not in a live mode or a VM. There is no option to run it in a live mode.

There is no risk, you could just reinstall Windows 11 or another Linux distribution.

Just make sure you have any documents/files you need backed up somewhere, because the install process will wipe your drive.

Aeon already has this warning, and I assume that any sane distribution has it too.

fwiw my personal experience shows the Samsung style of that to be much faster at the same price.
Please also be sure you’re using a modern kernel, there was actually a quirk set that caused it to run slower: [PATCH v3] Revert "usb: storage: Add quirk for Samsung Fit flash"

also in general with flash drives, the 256gb and up ones are usually 30-50% faster than the lower capacity variants due to having more/better nand chips

if you do want to boot from usb long term you’re much better off getting a decent nvme enclosure and any trusted brand of nvme disk for like twice the price of junk flash drives at 1000x the performance and reliability

Agreed. Nevertheless, I would rather not install a Linux distribution only to find that it is not for me. For example, if I installed Linux Mint, imported my backed-up data, yes I have already done so, and realize it doesn’t even use Wayland to go back to Windows or try another Linux distribution would be a waste of time.

I admit, I don’t quite understand what you mean by long term, unless you imply booting operating systems from it, but it was for testing Linux distributions, along with other uses.

Edit: I now understand what you mean and will keep your suggestion in mind as I have a spare SATA SSD. (I am going to completely replace Windows 11 once I have enough knowledge, which is why I am asking questions before proceeding.)

Firefox is probably in most/all Linux distros being an open source and available. And/Or Chromium.

Brave is not in all distros repos. Those distros that have user created packages likely have a package or build script to install it. Ie, Arch’s AUR. Brave does have an official flatpak and that appears to be updated within hours when a new version is available. You probably want to install Brave from your distro’s repos if it’s there, such that you’ll get updates along with your system updates.

1. Fedora is perfectly fine for beginners. Linux community on the whole is very dogmatic, and hence the post you linked happened - They simply were too used to Ubuntu to feel good about fedora. Since you are just starting out, Fedora will be your first experience, and hence it will be very user friendly for you.

2. OpenSUSE Aeon is also fine. Release candidate is not a problem, its merely project management speak for something 99.99% close to release. Lacl of documentation is a real problem, hence I still recommend fedora. Use the default Gnome version if you want a basic UI. Fedora is very similar in UI to Gnome standards.

3. I am assuming you are a college student. Most of your activities will probably be exploring PDFs, watching video content, writing documents and presentations, and maybe playing games. Its very easy to do all this with the default applications in fedora (except gaming).

In fact, if your work doesn’t include any special media software (adobe, etc.) I would even recommend you use Bazzite or Bluefin versions of fedora (they have almost everything you need preinstalled, and the OS needs no maintenance.

3. QubesOS is Overkill for your threat model.

4. Use Only Office, it has perfect compatibility with Microsoft Suite. No need to convince professors to use anything else unless you want to lead that cause.

5. I use Brother printers for scanning, they work perfectly. HP also seems well supported (Link)

6. Use Flatpaks. Don’t waste your time with Bubblewrap and firejail. You are a student, don’t fight your own laptop constantly. Flatseal can help you deny any permission you don’t want an application to have.

7. The marking of apps as potentially unsafe is a terrible metric. It is based on the permissions they ask, and not actual code review. Verified flatpaks are safe as far as you trust the software developer. Try to stick to them. Community flatpaks are not always the best.

The flatpaks have broad permissions because linux desktops do not have granular control. Its slowly being developed (Hopefully). Not sure why this would be a concern if you trust app developers. Most desktop OS are not made to use hostile applications, including Windows and Macs.

8. Both things are correct. Don’t use unofficial flatpaks, especially for sensitive connections. And yes, you can review it using manifest, but why waste time. Again your time is a limited resource, don’t waste it fighting your OS and applications.

9. Always use verified flatpaks and official software stores. MacOS sandboxing is also opt in, so it’s also safe only as far as your trust the dev. Again, your desktop is not meant to run hostile software safely.

Totally normal. It is on flatpak model to mitigate this, not application developers. Restrict what you are uncomfortable with uwing flatseal.

Unsafe applications are unsafe everywhere. Again, dont try to run hostile apps. VMs are better than just desktop though for running “bad” apps. You can use Gnome Boxes for running VMs.

Just use Brave and configure the settings once. Firefox doesn’t beat Chromium, and Brave is opposed in some communities because of their hate of crypto and the founder (both of which are irrelevant to short term browsing.) Remember to not install the brave flatpak, and actually install it as system level and your will be fine (dnf in fedora, rpm ostree in bazzite and bluefin)

Don’t worry about sandboxing, all desktop OSs are terrible. Windows sandbox can be bypassed based on where you install the app from. MacOS sandbox is optional. Flatpaks are decent enough. No desktop OS has proper verified boot, only incomplete implementations that trust vulnerable components.

Thanks for researching and not just asking stupid unresearched questions. Made me inspired to answer this. Again, don’t waste your time tinkering or after ideologies, just study well. If you stick with linux, you will have plenty of time to waste later arguing which distro is best , its our favorite pastime.

Couldn’t add more quotes because Discourse doesn’t allow more than 2 links to new visitors, and your quoted contained them. Feel free to ask anymore questions you have, this process can be daunting

Overall, I’d say you are doing a good read of the Linux situation. If you haven’t reformatted your windows machine, I’d suggest to hold on for a little while longer till you iron out things. Dont try everything out in one fell swoop. Its going to be painful. Try to remove one Evil Company at the time*, per month perhaps, until you settle down in relative comfort.

With regards to choosing Distro:

• My recommendation is that when you have a semestral break, I would recommend to try most of the major Linux distros that interest you and see if you like it. Also try all the desktop environments (your DEs) and window manager (WMs).
• Before you do all that, I’d recommend that you have a separate /home partition in your drive to make it easier to move around while keeping your files and most of your configs. Not all distros put the configuration files in the same place and developers are very opinionated about the way they do things, but dont let that dissuade you.
• If you think you have found the distro that you want and would decide to stop distrohopping, you can start on the LUKS full disk encryption. It’s very hassle to do this each boot but I feel less worried if my laptop/computer gets stolen.
• distrobox seems to make choosing between .deb (from Debian based distro), .rpm (RedHat based) and PKGBUILD (from Arch) seem to make the base distro less relevant at this point.
• The only reason I use Fedora is that it breaks less as a desktop because the corporation backing it spends time and money on software testing prior to release. Ubuntu is also good but they have funny and weird agendas that the Linux people seem to love to hate but for the most part, they work and they do try to make things work. Both of these are enterprise backed and the open source people are extremely opinionated.

In the end, you dont have to drink the same koolaid as everyone and you are free to experience it firsthand, without bias. Unfortunately, reading from guides and forums, you can start have to have some preconceived notion on what is acceptable or not.

With regards to Office Suite

• If your Windows is still around, I’d recommend that you grab all of the fonts in the windows font folders. Most of the open source document compatibility stems from formatting issues by not having your windows fonts. Do check your distro on how to import said fonts.
• If you are macro/plugin heavy user, consider using the online 365 instead and use MS Office from a browser.
• Only Office development seems slow. I’d pick LibreOffice bloat any time over it because a lot more people develop it.

Gaming

• Gaming is 80% there. If you dont play online competitive multiplayer with unsupported Linux anticheat, I’d say you’re 100% there. There are a lot of competitive online games on linux with working anticheat.
• I hope you are on a Radeon card though. While Nvidia is functional, Radeon is simply a lot less fussy, not like the petulant child that is Nvidia but things seems to be improving (?) I dont know since I only have Nvidia on a laptop and I dont play much on this laptop anymore.

Password Manager

I’d still think KeePassXC is superior to both Bitwarden and Proton Pass but if sanity demands that you use a cloud password manager, you cant go wrong with those two and I am inclined to use cloud syncing password manager for ease of use in the future.

Flatpaks/AppImage/etc

Dont overthink on flatpak and sandboxing for now. Discussion about it certainly have a place but it is a bit too much and too deep for someone just starting. For me native distro provided binary > Official Flatpak/Official AppImage/Official Snap.

I wasn’t entirely sure, since I have a risk-averse personality and overthinks things such as this. That is why I wasn’t sure what Linux distribution to proceed with.

For example, some people suggested Linux Mint as one’s first distribution, others Ubuntu, and PrivacyGuides recommended Fedora Workstation.

In this Reddit post, I saw that some were bias to Fedora KDE Plasma, and others to Fedora Workstation. I tried both out, and found Fedora Workstation to be - in my opinon - the better option.

Surprisingly, I am not a college student. I am a student though.

I do schoolwork, research for queries like this, reading posts from forums, and watching content. That is basically what I do. I don’t game at all, so lack of gaming on Linux isn’t a concern for me.

I found OnlyOffice to not look great on Windows. It may look different though, on Linux, since LibreOffice looked better on Linux; I will need to verify that.

Thanks for the link. I completely overlooked that.

I was guessing so. Firejail didn’t seem like a good idea, according to this post.

I was very stressed about the sandboxing and it bothered me because I read posts like this which made me uncertain to whether I should proceed with my migration to Linux or not.

Thanks for responding as well! There are many queries that have little to no research at all.

That’s the pièce de résistance of switching to Linux.

Firejail is much much better than having no sandboxing. Privilege escalation is only a concern if your OS already enforces proper privilege separation. If your apps aren’t sandboxed, there is no privilege separation. Firejail is worth it. If you want to invest more time into securing your computer, you can also use Bubblejail. But as a new user, just focus on getting things working… One step at a time.

I recommend against KDE. Some releases are solid and the project is cool, but for a new user it will be a PITA. Plasma 6 was broken on release. Now I hear it’s better but there are still a lot of issues that people complain about.

I don’t like gnome. But objectively it’s the best choice for a new user.
EDIT: also, a good thing about static release distributions like Fedora, is that they freeze the DE major version, meaning that you can wait on updating the distro until your extensions are fixed for the new major release of the DE.

Regarding your choice of distro - as much as I don’t like Fedora, it’s also probably your best choice, objectively. Linux Mint is probably good if you’re a casual user who doesn’t care about sandboxing and only runs trustworthy applications. But the DEs that they ship use Xorg which is bad if you need to restrict your apps, and since it shares Ubuntu/Debian DNA it also shares many of the issues these distros have.

Ideally I’d recommend an Arch derivative, but as a new user, it might be a PITA. I’ve had very few issues with it even when I was new to Linux but that’s just me.

I’d also recommend against using Ubuntu. Maybe it’s better now but I’ve had too many stability issues with it.

I agree, Fedora is great, if your hardware is compatible (and recent) anyway.

OpenSUSE is also great.

Don’t overthink it and try it will be my advice.