Secureblue - Atomic Fedora Hardening

This is a completely wrong conclusion.

You keep talking about GrapheneOS. I’m not a GrapheneOS user and I haven’t even looked into what it adds to AOSP and I’m not interested in it at all. I don’t think I need to know about GrapheneOS project in detail before I comment on secureblue, before I ask questions about it. I know that in the readme you only refer to GrapheneOS project 3 times, and I know that your project page doesn’t mention that you were inspired by GrapheneOS when you created secureblue, that your suggestions to disable some security hardening to make things easier for secureblue users meet the criteria of GrapheneOS project, that GrapheneOS project is the legitimate basis for your decisions about secureblue.

If these problems are inherited from Silverblue, I don’t think you need to bother with fixing them. Silverblue doesn’t have security hardening defaults like hiding unverified flatpaks from its users. The priority for installing GUI apps is flatpak, but when users search for apps like ProtonVPN, Mullvad Browser, Signal Desktop, they can’t find those in the store because unverified flatpaks are hidden. But, users who want to install applications such as Mullvad Browser and Steam are recommended to install unverified flatpaks.

1 Like

By who?

The developer himself recommends it:

https://github.com/secureblue/secureblue/blob/ab60fbbd1e1dade4153bd35fcb07a4bc0fa702b9/docs/FAQ.md#how-do-i-install-steam

How do I install Steam?

To use Steam you can either:


This is an irrelevant comment. No developer is obliged to release flatpak packages. While it was recommended to install apps without flatpak packages with the distrobox container, this recommendation is removed. As you can see, I asked the developer for information about this too.

that GrapheneOS project is the legitimate basis for your decisions about secureblue.

It’s not, I was simply using it as an example of arguably the most well known project focused on hardening, and that even it provides hardening toggles. I was using it to show how inane your “concerns” are.

users who want to install applications such as Mullvad Browser and Steam are recommended to install unverified flatpaks.

You are recommended not to use anything firefox based, we don’t support anything besides hardened-chromium. Hence I said “if you need them for some reason”. Please do not mischaracterize my remarks.

Even if you’re not a troll, your comments are at a minimum disingenuous and in bad faith, on top of being nonsensical. I’ve been taking the time to address what I assumed in good faith was genuine questioning. It seems I was mistaken to assume good faith. You have been blocked for this reason.

5 Likes

I think one big factor to be considered about the Secureblue project is the shift of trust. With Secureblue you are trusting the 25 contributors team there to continue maintaining the harden that they are distributing. Things can move and change very quick with a small team like that which can be good or bad. In Fedora, even with their very leaning forward philosophy things can take a bit to be modified and again that can be good or bad. I don’t want to sound as a downer, we have Divest and Nobara as example of small resource maintained projects that continue going. I think is nice to trust in projects with small teams but you have to understand clearly the risks.

1 Like

Secureblue users, do you use a user namespaces image?

  • Yes
  • No
0 voters

(Showing who voted for what is turned off btw)

Realistically it seems like it’d be more accurate (at this point in time) to say a 1 person team with occasional contributions from a handful of others. If I’m wrong about this, I’m sure @RoyalOughtness will correct me.

On the other hand, Fedora Atomic and Universal Blue are kind of designed in large part to enable this sort of small offshoot project by a small team or single individual. So it’s somewhat different than a full distro maintained by a single person. Still I agree that the size of the team and the newness of the project are relevant factors users should consider when making their choice.

I think GrapheneOS is another example.

2 Likes

If I’m wrong about this, I’m sure @RoyalOughtness will correct me.

You are indeed wrong, but only slightly :stuck_out_tongue:

Yes, secureblue’s core contributors are a small handful of people, and there are occasional contributions outside that core team. As an example, the bulk of the recent development on hardened-chromium is being done by Rootkit404. I think most of my commits on it recently have been for bumping release versions and fixing build failures :smile:. Rootkit404 built out the entire subresource filter and source caching backend.

That said, there’s lots of work to do, and new contributors are always welcome :smile:

2 Likes

@RoyalOughtness do you plan on opening a matrix channel? Because I think the target audience prefer a more secure and private communication channel than Discord.

You can then setup a matrix-discord bridge so everyone can communicate while being on their preferred platform.

do you plan on opening a matrix channel?

no

I think the target audience prefer a more secure and private communication channel than Discord.

Discord has significantly more robust security features. Matrix doesn’t even have 2FA support.

target audience

secureblue is not a privacy project, it’s a security project.

Are you being serious?

entirely.

doesn’t have E2EE

how is E2EE at all relevant for a public server?

Matrix is by far more secure than Discord

If your goal is E2EE with one other person, maybe. For public servers, it’s an entirely irrelevant variable.

It is clear that you have never used Matrix before.

I have used it on the privsec server :slight_smile: In any case can we please lower the hostility a bit?

That security mindset which neglects privacy completely is very terrible.

We don’t neglect privacy completely, but it’s not the scope of the project. There are some changes we make that improve privacy, but they are auxiliary to the project’s goals. What we won’t do is sacrifice security for privacy, and that includes the choice of community discussion platform. 2FA is just one variable too. Discord’s automod is robust by comparison, which is critical for securing a public server against raids/spam/malicious links. GrapheneOS had to disable parts of their bridge for this reason, matrix was unable to prevent that kind of thing and it was getting spilled over into discord by the bridge.

tldr there are historically demonstrated, critical security improvements discord provides over matrix when it comes to providing a public community server. Matrix is better in some areas like one to one conversations with E2EE, but that’s entirely irrelevant for a public server.

1 Like

I think it’s time the rejected tag is reconsidered.

5 Likes

This is an interesting development.

It was time when the developer came in and clarified everything in the posts above. There is literally no valid reason to not recommend this. In fact, it makes a lot more sense to recommend this than Kicksecure because secureblue is based on a sane distribution and not Debian.

7 Likes

I agree, Kicksecure doesn’t do anything special compared to Secureblue and is much worse in many cases. The Kicksecure recommendation should be removed imo. Whonix still has a use case for anonymity with their gateway-workstation VM setup but if a project can do something similar with Secureblue then it would easily obselete Whonix.

1 Like

Agree but removing kicksecure should be a separate discussion.

1 Like

Yeah I was gonna start one once Secureblue is recommended.

didn’t run0 rely on pkexec?

No, and we remove pkexec from secureblue too :slight_smile:

3 Likes

The remaining suid binary on secureblue’s main/userns systems is polkit-agent-helper-1, which will go away with the merge of this PR:

3 Likes