As a Tumbleweed user I would really appreciate any comments from the community. Is it time to move on?
Odd article that frames many positive changes like SELinux and Wayland-only as negative changes imo.
Anyhow if you want to run Linux I can only recommend secureblue.
14 Likes
I feel this is a bit restrict. Gaming on Secureblue still very nitpick. It depends on the OP privacy spectrum to provide a better recommendation.
To not go that far, using Fedora Workstation, Silverblue, or one of the ublue images may bring a bit of an easier path. Although, I’m not sure about Fedora and derivatives future as a RedHat distro with direct influence from IBM growing and a potential interference.
If OP wants to continue the true rolling release distro nature, there are more options that are community maintained: Arch, Nix(has quite a few polemics regarding american defense contractor collaborations), Void(not a big fan of runit but…), Gentoo…
3 Likes
I was running Fedora right before Tumbleweed and jumped the ship after Redhat’s change of heart. OpenSUSE is perfect for me in every sense, gaming included (steam for the most part). Well I guess you can’t have it all. Also I’m not a fan of Arch since I’m not that proficient in Linux but an absence of options makes a choice easier. No matter what, thank you for your suggestion.
I’ll look into it. Thank you.
Sam Bent already has a bad track record and here he’s framing positive changes (like adopting SELinux and Wayland) as negatives. He also highlights that the NSA originally developed SELinux (he claims they’re still developing it but I’m not aware of that and he provides no source), which reads to me like he’s implying that SELinux is untrustworthy or inferior to AppArmor, which just doesn’t make any sense.
I can’t speak to the other points but considering this alone, I’d disregard anything he has to say. There’s only so much time we have and I’d hate to waste it on someone who’s been known to spread misinformation and bad advice. If there are any serious issues, I’d assume someone more competent and trustworthy would bring light to it some time soon.
9 Likes
+1 for selinux and wayland, those are some big improvements for suse.
9 Likes
I ran OpenSUSE Kalpa for a long time. My threat model changed, though. Secureblue was impractical for me, so I opted for Arch + DWL with a declarative config, my own hard fork (work in progress) of transactional-update meant for Arch, with most of Secureblue’s defaults. I did loosen Flatpak permissions (but still only use verified) and use Xwayland for a work app. I’ll address each of the articles subjects below.
SELinux
Was developed by NSA. I understand they forked and moved on with their own version. I have personally seen companies follow best practices and still get compromised by advanced groups. If your threat model is state entities (or those funded by them), this site is not your primary source of information. They will get to you from your WiFi echo, from your conversations over BlueTooth devices, from your streaming history, telemetry from your car (if built since at least 2015—you can disable this, though), or the multitude of cameras scattered wherever you live. If you’re freaking out about SELinux, and the state is your threat vector, you’ve got a lot of learning to do. Google is not breaking through your well configured SELinux policies; even they have a line they won’t cross.
Wayland
HUGE improvement over X11. One of the best display protocols out there. Still, likely many holes that need patching. Also a huge PITA if you need to do we conferencing or screen recording, but if those aren’t an important part of your workflow, it’s a great option.
Agama
The SUSE team is aware of the issue. It’s assumed that if you’re a user, this won’t matter. If you’re an enterprise, your deploying with Ignition.
Cockpit
RedHat did this by default, too. Very annoying. Easy to uninstall and won’t break anything.
Telemetry and “Phoning Home”
The only thing I’ve seen is data sent to get updates, and some package usage survey data. The latter is opt out. The update blobs are signed and encrypting each of the many thousands of requests received daily costs CPU and network bandwidth. If you have to encrypt your signed public software, maybe get your tin-foil hat resized. It might be too tight! 
SLES Binaries
This is a good thing. There are a lot of large companies that use SLES and they don’t want anyone stealing their data (hurts profits). Their eyeballs on top of review from the non-enterprise user community means leaner operations for SUSE, and better auditing of packages and code. This is a win for everyone.
Privatization of SUSE
The main reasoning for this was to take market pressures off of SUSE. There’s a lot of European finance companies that rely on SUSE and being in a public global market meant they had to focus on profitability over features and quality. This was harmful to everyone and stressful for the maintainers. I know quite a few folks over there and most of them say this was a good move for everyone and work has been fun again (usually) for the last couple years.
I think the takeaway is to know what your threat model is, and incrementally learn what your threat vectors are, and iteratively attack each vector. Security and privacy are knobs, not switches, and they need constant tuning with every change in your life and every use case. Hope this is helpful.
7 Likes
Extremely helpful. I’ve got only one tiny tin-foil hat and I keep it in my drawer most of the time. Thank you for generously detailed answer.
1 Like
I hate those headlines. They are misleading as f-ck. It implies the NSA has some dark motive at play here. Maybe they genuinely want to be equipped with great security?*
Tor was founded by the US military and is still financed by the US gov. Should we now refer to US-funded Tor every time?
Some points of cyber might be valid. But odd to complain about security then complain about X11 being removed.
- That can be a valid assertion. But then explain it explicitely and specify whether you have proof or this is just speculation.
3 Likes
I’m curious why you’re interested in what’s changed in Leap if you’re currently a Tumbleweed user. Because Tumbleweed is an upstream of Leap. Also, Tumbleweed made this change 8 months ago, making SELinux the default MAC. If you installed your OS before that date, that change doesn’t affect you. Although AppArmor is still available as an option in Tumbleweed.
I also know that the openSUSE project is in the rebranding phase, and it’s important to remember that distributions like Tumbleweed and Leap are community supported, and some developers contribute to the distributions on a volunteer basis, even if they are SUSE employees.
Wayland is a good improvement, but Selinux with Fedora’s policy is not something I would call a big improvement. Fedora’s refpolicy covers only some system-level stuff and is not great overall. Apparmor is much easier to deal with. I can write Selinux and Apparmor policies, but the former takes a lot more time and thus leaves you with much less confinement due to time constraints.
Just wanted to mention that these changes are not as pronounced in Tumbleweed. Tumbleweed still ships with X11 and as far as I know it is the default for the Xfce desktop and perhaps also KDE (not sure). Tumbleweed also uses the old, more powerful installer “Yast” in which you can fine-tune everything, including which packages will be installed. During the installation you can also choose to use AppArmor instead of SELinux (I don’t know if this can be changed in Agama, the new installer that Leap uses). Tumbleweed also still ships with Yast instead of Cockpit for system administration, at least for now.
3 Likes
Why is it so important to this article that SELinux was developed by the NSA? I initially thought it was just clickbait on the title, which, while annoying, is pretty much the norm so I can’t fault him individually for doing it. But then brings it up six more times.
It is clickbait, that’s this YouTuber’s shtick.
7 Likes
Focusing on SELinux is irrelevant to most threat models anyways. Nobody cares about some random guy with a SecureBlue desktop used mainly for personal reasons.
For Americans: If you are NOT a foreign agent residing inside or outside the United States, you have less to worry about from the NSA. I argue that if you’re some random joe, the NSA will not target you and legally can’t under FISA. That law sets clear limits on what type of surveillance can occur. The mass bulk collection efforts conducted by the NSA at that time consisted of incidental collection of American data, which was clearly illegal and stopped. While we don’t know if similar programs remain, what we do know is that there is significantly more oversight over whether these data collection methods include the personal data of Americans since the Snowden leaks
Unless you have a threat model similar to Edward Snowden or Chelsea Manning, you are most definitely not a foreign agent. You are ironically safer from NSA surveillance being in the United States. Worry more about Google or the FBI.
It’s not. Sam Bent’s whole point is that NSA = Bad therefore anything made by them is bad.
SELinux did originate from the NSA, and was turned over to the open source community. At this point, we might as well stop using Tor and the Internet because they started as Department of Defense research projects.
Remember that the NSA is not exactly a “surveillance” organization but a signals intelligence organization (SIGINT). They are concerned with both acquiring foreign intelligence and protecting American intelligence. Hence why they developed the projects that would become SELinux, there wasn’t a common access control standard for Linux servers yet. They needed it during the 1990s and handed it over for everyone to develop it further. There is no evidence that SELinux is a backdoor.
1 Like
I found an old article he wrote. It doesn’t really make sense at all.