Hey @RoyalOughtness, I saw a tweet by tommy (founder of privsec.dev) saying that SecureBlue “Disable passwordless sudo for rpm-ostree install”, is there any reason for doing so? Tommy contributes to the project and doesn’t hate it at all btw.
EDIT: Checked GitHub - rohanssrao/silverblue-privesc: Fedora Silverblue privilege escalation seems reasonable to me 
He is also a former team member of Privacy Guides.
This might deserve its own thread, but for now I’ll put it here. Early releases of hardened-chromium are available on COPR and secureblue’s br-hardened-chromium-40 tag.
EDIT: Checked GitHub - rohanssrao/silverblue-privesc: Fedora Silverblue privilege escalation seems reasonable to me
Is a compromised wheel user trivially easy to transition to a compromised root on desktop linux systems? Yes. However, the change we make to disable passwordless sudo for wheel users has beneficial side effects for users who are using a nonwheel user as their primary user (which is recommended in the instructions). That is it allows polkit to prompt the nonwheel user for the wheel user’s password when doing rpm-ostree install, which is a security improvement as it allows users to manage their deployments and layers while logged in as a nonwheel user, and only authenticating as the wheel user for specific operations as needed via polkit.
So in the general sense of simply requiring a password for a wheel user that’s being used as a primary user, Tommy is correct. But assuming the primary daily user is nonwheel, his point is less relevant. Also yes, Tommy and I already talked about this on discord 
Just wanted to ping here to see if PG is looking to reconsider this. The project has matured a bit in terms of organization structure and processes, and has active contributors other than the maintainer. These were the two points I remember as the hurdles.
Also, since secureblue and its base ublue both use automated building of the OS using bluebuild, they are (using a very bad comparison) kinda like arkenfox but for fedora atomic. So I don’t think there is a lot of risk of them lagging behind the upstream fedora.
Do let me know if I need to open a new thread, or if there is some other hurdle I am not aware of. Would be great to see this project get more mainstream.
Personally I would love to see an ISO released for the OS.
As it is now it feels more like a toolkit than an ISO since you can’t actually install it, you know?
Yes you can build it yourself but really, how many people are going to do that? PG is all about making privacy easy for the masses and writing in a terminal ain’t it.
Fair point about the ISOs, but you don’t have to build it. Just install Silverblue then use the rpm-ostree rebase command to switch to Secureblue images.
I know, but then we are once again back to typing in stuff in the terminal. Normies aren’t doing that.
Normies are in for a rude shock if they think they can get away with not typing into terminals on a Linux based desktop.
I think openSUSE Aeon manages to not really have a need for terminal, if used in a way most “normies” would.
While this is the goal for Aeon, it is still very new and very much experimental until it reaches stable status.
If all this for Arch Linux, wouldn’t the project appeal to more users?
After many months of eye-ing the Secureblue project i’ve just today made the move!
What convinced me was actually the continued great work on the project, addition of hardened chromium and overall inspiration from Graphene OS.
I remember beforehand i was mainly Firefox user but with my Pixel phone, i fell in love with the GOS look, feel and implementation, so i didn’t mind the move from Firefox to Chromium.
For some time my personal philosophy is minimalism and reductionism. If i can have one browser that does it all, then i’m sticking to it.
I still haven’t downloaded all the apps from previous uBlue image, the Bazzite and i’ve heard there has to be a bit of workaround for gaming but i’m sure i can handle that too. Overall i’m happy with the move and excited to get it up and running 100%! As of now it was mainly smooth sailing although previous months of learning commands in Linux definitely helped a lot.
I definitely would not recommend it as a first time Linux distro. With regards to Fedora, the Workstation edition should be better and more newcomers friendly. After few months with that i’d try Atomic version and with uBlue image like Bazzite for example. Only then afterwards i’d go for Secureblue.
That’s a Linux problem, not a normie problem.
Normies are free to skip Linux if they can’t handle the terminal.
You shouldn’t have to use the terminal. Windows and MacOS are examples of OSs where barely anyone uses the terminal.
If Windows and Mac scratches your needs, why do you need to use Linux? I don’t get this fear of the terminal. It is ridiculous to the say the least.
You don’t see people from Linux installing Windows or using Mac complaining they can’t use the terminal.
There are plenty of reasons to pick Linux over Windows or MacOS.
It’s completely fine to like everything about Linux, but hate the terminal, and these people should have the option to interact using GUIs.
It seems like you have an elitist mentality.
Not really. Am being rational and calling it like I see it. If you hate the terminal maybe Linux is not the right match for you since most of the workflow is terminal centric. Makes no sense to be complaining about the terminal.
When you get your hands on a new piece of software/tech or find yourself in a new community you don’t immediately start bashing how people do things over there. You learn it first and see whether you can make it work for you.
I think this is a general standard with everything. At least socially speaking.
Update: sigh i think in the end terminal and coding is gonna be my achilless heel forever and something i won’t be able to force myself to like or enjoy.
Things DID go smoothly with installing Secureblue and setting up the desktop environment apps etc. but as i expected Steam didn’t work. I was promised that it would work with BoxBuddy and so after installing Bazzite on it i was excited to launch it. Well… nothing happened and i have no idea why it doesn’t. Yet another thing i’d have to blindly stumble through with likely hours of frustration to solve. And that’s only for one application.
Unfortunately i’ll have to rebase back to Bazzite. I do agree with Lukas that using terminal shouldn’t be what’s expected of an user. I still use it sometimes because i have to, but it’s not pleasant at all.
I really, really did try to force myself to learn both coding and terminal but i guess my brain is just not made for that. I can meditate for 30 minutes no problem but i feel like my lifeforce is drained away when i see or type lines of code and i want to punch something after long enough interaction.
I guess i might not be the core audience for such distros. Security is cool and all but it’s not worth the hassle i have to endure. Convenience is also a very important aspect.