I think this project looks great and it’s basically what I thought Fedora Silverblue would be out of the box.
But… How do I download it? Where are the iso files? I’m honestly feeling a bit lost when there is a long list of variants etc with no apparent way of downloading them.
Or you can rebase any Fedora Atomic system. Install silverblue/kinoite/etc then follow the rebasing instructions.
what @jerm linked is correct.
Rebase from an existing installation of silverblue/kinoite/sericea using the rebase commands at GitHub - secureblue/secureblue: Immutable Fedora images for GNOME, KDE Plasma, Bluefin, Sway, Cinnamon, Wayfire, River, and Hyprland with some hardening applied
wtf, jinx? 
yeah how bout that 
Hey @RoyalOughtness, I saw a tweet by tommy (founder of privsec.dev) saying that SecureBlue “Disable passwordless sudo for rpm-ostree install”, is there any reason for doing so? Tommy contributes to the project and doesn’t hate it at all btw.
EDIT: Checked GitHub - rohanssrao/silverblue-privesc: Fedora Silverblue privilege escalation seems reasonable to me 
He is also a former team member of Privacy Guides.
This might deserve its own thread, but for now I’ll put it here. Early releases of hardened-chromium are available on COPR and secureblue’s br-hardened-chromium-40 tag.
EDIT: Checked GitHub - rohanssrao/silverblue-privesc: Fedora Silverblue privilege escalation seems reasonable to me
Is a compromised wheel user trivially easy to transition to a compromised root on desktop linux systems? Yes. However, the change we make to disable passwordless sudo for wheel users has beneficial side effects for users who are using a nonwheel user as their primary user (which is recommended in the instructions). That is it allows polkit to prompt the nonwheel user for the wheel user’s password when doing rpm-ostree install, which is a security improvement as it allows users to manage their deployments and layers while logged in as a nonwheel user, and only authenticating as the wheel user for specific operations as needed via polkit.
So in the general sense of simply requiring a password for a wheel user that’s being used as a primary user, Tommy is correct. But assuming the primary daily user is nonwheel, his point is less relevant. Also yes, Tommy and I already talked about this on discord
Just wanted to ping here to see if PG is looking to reconsider this. The project has matured a bit in terms of organization structure and processes, and has active contributors other than the maintainer. These were the two points I remember as the hurdles.
Also, since secureblue and its base ublue both use automated building of the OS using bluebuild, they are (using a very bad comparison) kinda like arkenfox but for fedora atomic. So I don’t think there is a lot of risk of them lagging behind the upstream fedora.
Do let me know if I need to open a new thread, or if there is some other hurdle I am not aware of. Would be great to see this project get more mainstream.
Personally I would love to see an ISO released for the OS.
As it is now it feels more like a toolkit than an ISO since you can’t actually install it, you know?
Yes you can build it yourself but really, how many people are going to do that? PG is all about making privacy easy for the masses and writing in a terminal ain’t it.
Fair point about the ISOs, but you don’t have to build it. Just install Silverblue then use the rpm-ostree rebase command to switch to Secureblue images.
I know, but then we are once again back to typing in stuff in the terminal. Normies aren’t doing that.
Normies are in for a rude shock if they think they can get away with not typing into terminals on a Linux based desktop.
I think openSUSE Aeon manages to not really have a need for terminal, if used in a way most “normies” would.
While this is the goal for Aeon, it is still very new and very much experimental until it reaches stable status.
If all this for Arch Linux, wouldn’t the project appeal to more users?
After many months of eye-ing the Secureblue project i’ve just today made the move!
What convinced me was actually the continued great work on the project, addition of hardened chromium and overall inspiration from Graphene OS.
I remember beforehand i was mainly Firefox user but with my Pixel phone, i fell in love with the GOS look, feel and implementation, so i didn’t mind the move from Firefox to Chromium.
For some time my personal philosophy is minimalism and reductionism. If i can have one browser that does it all, then i’m sticking to it.
I still haven’t downloaded all the apps from previous uBlue image, the Bazzite and i’ve heard there has to be a bit of workaround for gaming but i’m sure i can handle that too. Overall i’m happy with the move and excited to get it up and running 100%! As of now it was mainly smooth sailing although previous months of learning commands in Linux definitely helped a lot.
I definitely would not recommend it as a first time Linux distro. With regards to Fedora, the Workstation edition should be better and more newcomers friendly. After few months with that i’d try Atomic version and with uBlue image like Bazzite for example. Only then afterwards i’d go for Secureblue.
That’s a Linux problem, not a normie problem.