Secureblue - Atomic Fedora Hardening

the only problem is, the user has to use a cli to rebase the image and rpm-ostree has a learning curve, if you are only familiar with dnf etc.

you have to make your own iso atm.

Whatā€™s the best Linux distribution for beginners ? Do you recommend the classic one or atomic ?

My opinion is that traditional distros are the marginally better choice for the next ~year or three for a beginner who will admin their own system, but atomic distros will likely be the better choice at some point in the future.

Itā€™s still more or less the early adoption phase for atomic Linux distros. If you are a beginner I think its better to wait for the rough edges to be ground down, the documentation to improve, and for a larger number of experienced Linux users to make the switch first so there is greater mindshare and support resources.

With that said, the above is a generalization, and I think we are approaching the point where neither option is a bad choice for a beginner.

3 Likes

Thank you for your answer.

The problem is that Iā€™m an unexperienced Linux user.

Iā€™ll soon get a new pc and Iā€™d like to have Linux distribution (either on VM or on live OS, for example Fedora Writer) while keeping Windows 11 because I need Office Suite (Excelā€¦).

Iā€™d like to use Windows only for Office but use Fedora as my daily routine (since Itā€™s recommended by PG, even if Iā€™m not experimented at all on Linux distributions).

What would you recommend me to do ?

Itā€™s hard to give a specific recommendation without knowing a little more about your situation. (Also somewhat off-topic in this thread, Iā€™ll send you a direct message)

There is no good reason, and everything has been clarified by the creator.

Copying 4 commands into the terminal is a learning curve? Okay.

No, not only rebasing is a proper way to do it, but itā€™s also easier.

After daily driving Aeon since RC1 and secureblue for a few days, there is no way I would recommend a traditional distribution to a newcomer.

Even if there are things that are still easier on traditional distributions (of which Iā€™m not aware), it still makes sense to learn to use a proper distribution that will be the future of Linux desktop.

Just my two cents.

FYI, weā€™re likely to drop custom ISO support entirely in favor of an interactive script that assembles the rebase command based on the userā€™s selections. This way new users can all use the official Fedora ISO to install Fedora Atomic and then simply use our interactive selector to rebase. :slight_smile:

5 Likes

It would be great if you offer both, documented it in the readme. ISOs are more user friendly and new comers are familiar with it.

An ISO is used either way. There isnā€™t really any reason for us to keep making our own with a less-well-tested iso builder. If anything, having users use Fedora Media Writer to write an official installer is even more user friendly and more secure since users donā€™t even have to deal with the iso, checksum, or verification directly.

We are already publishing OCI images, so republishing them as disk images would be as wasteful as it is redundant and unnecessary.

The proposed solution is the best of all worlds:

  • It makes our installation documentation significantly easier to follow, since the script will interactively prompt users instead of users needing to wade through a large image directory
  • It means users donā€™t need to directly deal with ISOs or manually handle checksumming or gpg verification (since Fedora Media Writer does this by default)
  • It keeps all users on the same installation pathway using a well-tested and officially supported installation mechanism, improving reliability and experience consistency
  • Removes a dependency on a third party, less thoroughly tested ISO generation mechanism
4 Likes

I just checked the FAQ page again and noticed that the answer to the question on how to install Steam has been updated. It is not explained in detail why it was recommended to layer the app until a few weeks ago, but now it is not recommended. Is it updated because it is secure to install Steam in the distrobox container instead of layering it? Isnā€™t distrobox a container that doesnā€™t offer sandboxing?

A few hours ago, distrobox alternative was removed from the how do I install software answers. What is the reason for this?

These changes made me rethink the answers on the FAQ page, and the answers reminded me of the many breaches that secureblue itself has made in the walls it has built with its security hardening. Bluetooth, X11, AppImage, GNOME user extensions, KDE themesā€¦ all aimed at disabling something. Including the need to install an unverified flatpak in order to do the first recommended way to install Steam.

Is it updated because it is secure to install Steam in the distrobox container instead of layering it?

No, nothing to do with security. Locally layering steam on rpm-ostree systems causes dependency clashes. Using a distrobox avoids this.

What is the reason for this?

distrobox is useful when say building a package that only has build instructions for a specific distribution. Outside of that, it tends to be a bit of a crutch and a less secure option. flatpak provides sandboxing via bwrap, and brew has plans to add bwrap sandboxing for cli programs as well.

many breaches that secureblue itself has made in the walls

Youā€™re calling the hardening toggles that we provide ā€œbreachesā€? Youā€™re annoyed at the added convenience for users?

GrapheneOS provides similar toggles for hardeningā€¦ you can disable MTE, hardened_malloc, etc.

This seems like finding something to be annoyed about for the sake of it, and I respectfully ask you to not do that :slight_smile:

Including the need to install an unverified flatpak in order to do the first recommended way to install Steam.

Yeah, because thereā€™s no official way to install Steam on Fedora or any distro besides Ubuntu for that matter. Take that up with Valve, not secureblue.

5 Likes

Apparently this issue didnā€™t exist a couple of weeks ago, but it started to happen later, and I didnā€™t know about it because it wasnā€™t mentioned in the FAQ.

I also didnā€™t know about this detail because it wasnā€™t mentioned in the FAQ.

As for your other points, what Iā€™d like to emphasize is whether what youā€™re recommending to make it easier for people who are use secureblue is partially weakening the security hardening, which is your main priority. I mean, there must be reasons why users canā€™t use AppImage packages, user extensions, themes, why you hide unverified flatpaks, etc., that have to do with trying to improve security, right. You also mentioned these in the FAQ. Doesnā€™t secureblue as installed already avoid usability sacrifices for most use cases? Or is it because it is a usability-compromising distribution that we have to deal with enabling bluetooth after the fact? If the things I mentioned are not that much of a security risk, it might be better for users if these things are not disabled by default.

Iā€™m not interested in why Valve still hasnā€™t released Steam for other distros. Since you are hiding unverified flatpaks, itā€™s contradictory to recommend this as the first way to install Steam. Either it would be better not to hide unverified flatpaks anymore, or it would be more reasonable to remove that suggestion. Because you are recommending a method that already works as it should, I havenā€™t tried it, but maybe installing the official Steam client via Bottles is also recommended.

Anyway, I genuinely wish you the best of luck in continuing this project.

Apparently this issue didnā€™t exist a couple of weeks ago, but it started to happen later, and I didnā€™t know about it because it wasnā€™t mentioned in the FAQ.

No, itā€™s always been a problem, it just became worse recently.

what youā€™re recommending to make it easier for people who are use secureblue is partially weakening the security hardening, which is your main priority.

which is also what GrapheneOS does with various hardening toggles and compatibility modeā€¦?

Frankly, this ā€œconcernā€ makes no sense whatsoever. This seems like borderline trolling.

Iā€™m not interested in why Valve still hasnā€™t released Steam for other distros.

Well thatā€™s the underlying reason why there are no Valve-official mechanisms to install Steam on secureblue.

it would be better not to hide unverified flatpaks anymore, or it would be more reasonable to remove that suggestion.

Why is either necessary? secureblueā€™s goal is to provide images with hardened defaults, verified-only flatpaks are a hardened default. That doesnā€™t make other problems go away (i.e. the problem of Fedora not having an official steam installation mechanism)

Secureblue breaks from the linux desktop status quo by favoring security over usability. Nevertheless, most of its hardening can trivially be disabled at the userā€™s discretion. Personally, I find this approach refreshing. Usually after installing a distro, I diligently apply hardening customization to improve its security. With secureblue, the situation is flipped, and I just loosen the hardened settings I want less restriction on.

2 Likes

@RoyalOughtness If you donā€™t mind, I would like to hear your current thoughts on the Kicksecure project.

Would you consider Kicksecure comparable to Secureblue in terms of hardening (Debian vs Fedora aside)? If so, is the hardening done by Kicksecure actually meaningful or do the fundamental issues with Debian vastly outweigh any hardening that is done?

Would you ever recommend someone use Kicksecure over vanilla Fedora Workstation or Silverblue?

Iā€™ll keep my thoughts to a minimum because I donā€™t like critiquing other FOSS projects that people have put lots of volunteer effort into, especially on a public forum.

I will say though that Iā€™m disappointed by Kicksecureā€™s decision to drop hardened_malloc. Aside from that I havenā€™t been keeping up with it that closely.

3 Likes

A installed browser is not a problem per se. Users are free to uninstall it or simply not use it.

Some things noted there have changed, for example the official build flag, which is quite important.

I believe it doesnā€™t use Wayland as itā€™s XFCE