the only problem is, the user has to use a cli to rebase the image and rpm-ostree has a learning curve, if you are only familiar with dnf etc.
you have to make your own iso atm.
Whatās the best Linux distribution for beginners ? Do you recommend the classic one or atomic ?
My opinion is that traditional distros are the marginally better choice for the next ~year or three for a beginner who will admin their own system, but atomic distros will likely be the better choice at some point in the future.
Itās still more or less the early adoption phase for atomic Linux distros. If you are a beginner I think its better to wait for the rough edges to be ground down, the documentation to improve, and for a larger number of experienced Linux users to make the switch first so there is greater mindshare and support resources.
With that said, the above is a generalization, and I think we are approaching the point where neither option is a bad choice for a beginner.
3 Likes
Thank you for your answer.
The problem is that Iām an unexperienced Linux user.
Iāll soon get a new pc and Iād like to have Linux distribution (either on VM or on live OS, for example Fedora Writer) while keeping Windows 11 because I need Office Suite (Excelā¦).
Iād like to use Windows only for Office but use Fedora as my daily routine (since Itās recommended by PG, even if Iām not experimented at all on Linux distributions).
What would you recommend me to do ?
Itās hard to give a specific recommendation without knowing a little more about your situation. (Also somewhat off-topic in this thread, Iāll send you a direct message)
There is no good reason, and everything has been clarified by the creator.
Copying 4 commands into the terminal is a learning curve? Okay.
No, not only rebasing is a proper way to do it, but itās also easier.
After daily driving Aeon since RC1 and secureblue for a few days, there is no way I would recommend a traditional distribution to a newcomer.
Even if there are things that are still easier on traditional distributions (of which Iām not aware), it still makes sense to learn to use a proper distribution that will be the future of Linux desktop.
Just my two cents.
FYI, weāre likely to drop custom ISO support entirely in favor of an interactive script that assembles the rebase command based on the userās selections. This way new users can all use the official Fedora ISO to install Fedora Atomic and then simply use our interactive selector to rebase. 
5 Likes
It would be great if you offer both, documented it in the readme. ISOs are more user friendly and new comers are familiar with it.
An ISO is used either way. There isnāt really any reason for us to keep making our own with a less-well-tested iso builder. If anything, having users use Fedora Media Writer to write an official installer is even more user friendly and more secure since users donāt even have to deal with the iso, checksum, or verification directly.
We are already publishing OCI images, so republishing them as disk images would be as wasteful as it is redundant and unnecessary.
The proposed solution is the best of all worlds:
- It makes our installation documentation significantly easier to follow, since the script will interactively prompt users instead of users needing to wade through a large image directory
- It means users donāt need to directly deal with ISOs or manually handle checksumming or gpg verification (since Fedora Media Writer does this by default)
- It keeps all users on the same installation pathway using a well-tested and officially supported installation mechanism, improving reliability and experience consistency
- Removes a dependency on a third party, less thoroughly tested ISO generation mechanism
4 Likes
I just checked the FAQ page again and noticed that the answer to the question on how to install Steam has been updated. It is not explained in detail why it was recommended to layer the app until a few weeks ago, but now it is not recommended. Is it updated because it is secure to install Steam in the distrobox container instead of layering it? Isnāt distrobox a container that doesnāt offer sandboxing?
A few hours ago, distrobox alternative was removed from the how do I install software answers. What is the reason for this?
These changes made me rethink the answers on the FAQ page, and the answers reminded me of the many breaches that secureblue itself has made in the walls it has built with its security hardening. Bluetooth, X11, AppImage, GNOME user extensions, KDE themesā¦ all aimed at disabling something. Including the need to install an unverified flatpak in order to do the first recommended way to install Steam.
Is it updated because it is secure to install Steam in the distrobox container instead of layering it?
No, nothing to do with security. Locally layering steam on rpm-ostree systems causes dependency clashes. Using a distrobox avoids this.
What is the reason for this?
distrobox is useful when say building a package that only has build instructions for a specific distribution. Outside of that, it tends to be a bit of a crutch and a less secure option. flatpak provides sandboxing via bwrap, and brew has plans to add bwrap sandboxing for cli programs as well.
many breaches that secureblue itself has made in the walls
Youāre calling the hardening toggles that we provide ābreachesā? Youāre annoyed at the added convenience for users?
GrapheneOS provides similar toggles for hardeningā¦ you can disable MTE, hardened_malloc, etc.
This seems like finding something to be annoyed about for the sake of it, and I respectfully ask you to not do that
Including the need to install an unverified flatpak in order to do the first recommended way to install Steam.
Yeah, because thereās no official way to install Steam on Fedora or any distro besides Ubuntu for that matter. Take that up with Valve, not secureblue.
5 Likes
Apparently this issue didnāt exist a couple of weeks ago, but it started to happen later, and I didnāt know about it because it wasnāt mentioned in the FAQ.
I also didnāt know about this detail because it wasnāt mentioned in the FAQ.
As for your other points, what Iād like to emphasize is whether what youāre recommending to make it easier for people who are use secureblue is partially weakening the security hardening, which is your main priority. I mean, there must be reasons why users canāt use AppImage packages, user extensions, themes, why you hide unverified flatpaks, etc., that have to do with trying to improve security, right. You also mentioned these in the FAQ. Doesnāt secureblue as installed already avoid usability sacrifices for most use cases? Or is it because it is a usability-compromising distribution that we have to deal with enabling bluetooth after the fact? If the things I mentioned are not that much of a security risk, it might be better for users if these things are not disabled by default.
Iām not interested in why Valve still hasnāt released Steam for other distros. Since you are hiding unverified flatpaks, itās contradictory to recommend this as the first way to install Steam. Either it would be better not to hide unverified flatpaks anymore, or it would be more reasonable to remove that suggestion. Because you are recommending a method that already works as it should, I havenāt tried it, but maybe installing the official Steam client via Bottles is also recommended.
Anyway, I genuinely wish you the best of luck in continuing this project.
Apparently this issue didnāt exist a couple of weeks ago, but it started to happen later, and I didnāt know about it because it wasnāt mentioned in the FAQ.
No, itās always been a problem, it just became worse recently.
what youāre recommending to make it easier for people who are use secureblue is partially weakening the security hardening, which is your main priority.
which is also what GrapheneOS does with various hardening toggles and compatibility modeā¦?
Frankly, this āconcernā makes no sense whatsoever. This seems like borderline trolling.
Iām not interested in why Valve still hasnāt released Steam for other distros.
Well thatās the underlying reason why there are no Valve-official mechanisms to install Steam on secureblue.
it would be better not to hide unverified flatpaks anymore, or it would be more reasonable to remove that suggestion.
Why is either necessary? secureblueās goal is to provide images with hardened defaults, verified-only flatpaks are a hardened default. That doesnāt make other problems go away (i.e. the problem of Fedora not having an official steam installation mechanism)
Secureblue breaks from the linux desktop status quo by favoring security over usability. Nevertheless, most of its hardening can trivially be disabled at the userās discretion. Personally, I find this approach refreshing. Usually after installing a distro, I diligently apply hardening customization to improve its security. With secureblue, the situation is flipped, and I just loosen the hardened settings I want less restriction on.
2 Likes
@RoyalOughtness If you donāt mind, I would like to hear your current thoughts on the Kicksecure project.
Would you consider Kicksecure comparable to Secureblue in terms of hardening (Debian vs Fedora aside)? If so, is the hardening done by Kicksecure actually meaningful or do the fundamental issues with Debian vastly outweigh any hardening that is done?
Would you ever recommend someone use Kicksecure over vanilla Fedora Workstation or Silverblue?
Iāll keep my thoughts to a minimum because I donāt like critiquing other FOSS projects that people have put lots of volunteer effort into, especially on a public forum.
I will say though that Iām disappointed by Kicksecureās decision to drop hardened_malloc. Aside from that I havenāt been keeping up with it that closely.
3 Likes
A installed browser is not a problem per se. Users are free to uninstall it or simply not use it.
Some things noted there have changed, for example the official build flag, which is quite important.
I believe it doesnāt use Wayland as itās XFCE