Secureblue: Is This the Most Secure Linux Distro?

I’ve been playing some Fallout New Vegas and Deus Ex in Bottles and it works just as well as Fedora Silverblue. Had to tweak the Flatpak settings though, don’t have any experience with newer games unfortunately tho.

Is it really such a hassle though? How do you know any of your apps will be affected? Even if they are once you turn off certain things that stop some of your apps working, it’s basically the same as using Silverblue.

I’m happy that the video nudged you to give it a shot!

Thanks for sharing your thoughts, I’m glad it’s working well for you. (apart from that one caveat)

Good luck, hope it goes well!

Since switching from Windows this year, I’ve become very enthusiastic about desktop Linux. I have been daily driving one of the ublue-based images, and have recently installed secureblue on a spare machine. Ideally, I’d like to keep using Linux.

But in the video you say that desktop Linux is less secure than even macOS or Android.

Is the reality that desktop Linux, and even secureblue in this case, are putting me at greater risk? If so, then should I just move on from Linux to macOS/Android?

Thank you!

Are you at risk of targeted attacks? Would a malware infection be an unacceptable risk to your workflow? If so, stick with MacOS/Graphene OS with a secondary computer for Qubes or Tails.

if you want to prevent Apple from tracking you and maximize privacy protections while implementing some form of sandboxing (not perfect though), a SecureBlue or Qubes daily driver can also work.

Most people do not face targeted attacks. You are not harming yourself by using Linux.

I wrote a bit more about this question here as well:

It’s a difficult situation where most people will indeed be far better off using Linux, but “most people” also aren’t ever targeted by 0-day malware. When it comes to anti-exploit capabilities Linux has a very long way to go.

On desktop we really only see macOS making a decent effort, but they’re still behind the state of the art anti-exploit tech in modern AOSP and iOS.

We probably should have specified what we are referring to when we say “security” more clearly, because of course hardening is not the only thing to do in cybersecurity, not by a long shot. There are many aspects of security where Linux far exceeds Windows or other devices, and so a security-conscious person may still rightly choose to use Linux, absolutely.

When it comes to 0-days though it falls quite short, and there are many who are rightly concerned about this. We see stories about malware like Pegasus used against regular activists and journalists all the time. It would be hard to recommend desktop Linux for journalists as a general rule at the moment.

Not to deviate this thread too much, but I think this is again a situation where it is valuable to talk about ChromeOS for its security.

Thank you both very much, this adds some much needed perspective.

This is what came to mind for me more generally as well.

Similar to ChromeOS, immutable distros are very opinionated, more secure and have narrower functionality relative to alternatives. Both can be a sweet spot for typical users, while also being a non-starter for other use cases.

Back to the thread as a whole, it’s an interesting convo. Speaking solely for myself, my privacy is a greater concern than my (post-hardened) security. I do think many Linux users are lackadaisical about security, but choosing a distro w/ an emphasis on security is a bridge too far for me as an everyday (non-targeted) user.

Being that I’ve been using a traditional distro for a year or two, I am OK with manually hardening my device and having more freedom. I can see the appeal if I didn’t already have Linux preferences, yet I can also see how it’s might make the Linux journey much steeper for newbies. Kudos to those that are enjoying the setup either way

GrapheneOS Desktop Mode as a desktop OS is even more secure than MacOS and ChromeOS, and it’s technically a Linux distro and just as private (debatably moreso).

It’s still in beta and VMs for traditional Linux are experimental, so secureblue and MacOS still have many advantages for most threat models.

Linux VMs on GrapheneOS desktop mode!

FYI, aarch64 support is planned (Note: this does not include Apple silicon support)

UBlue is actually the source of Secureblue as they provide the base images that several other projects take and customize to their liking. I don’t know how dependent Secureblue still is on UBlue’s images

We haven’t used ublue’s base images for about a year. Our base images are directly from fedora.

Cloud native technologies

In particular https://blue-build.org/ and GitHub - bootc-dev/bootc: Boot and upgrade via container images

but it makes too many sacrifices for my use case

If there are any areas in particular where this could be improved, please let me know

Immutable

FAQ | secureblue

There are a lot of misconceptions about atomic systems, nomenclature aside.

Edit: hijacking this post to respond to @jonah as well

I agree only because I have esoteric hardware (Asahi Linux user lol), which I hope atomic distros get better at supporting in the future.

@travier is working on GitHub - fedora-asahi-remix-atomic-desktops/images: Unofficial Bootable Container images for Fedora Asahi Atomic Remix but it’s still very experimental. But, hopefully in the near future!

I mean it took me years longer than it should’ve to understand and embrace Docker and Ansible, just because relearning how to do things you can already do sucks.

Admittedly I’ve been daily driving atomic systems since before secureblue existed , but you can definitely use atomic systems without docker/ansible/distrobox/etc. You can use them similarly to a traditional system in large part (aside from managing deployments of course). The key to reducing friction IMO is weeding through all the incorrect information about them and adapting your existing workflow as close to 1:1 as possible. Misleading terms like “immutable” and “flatpak-first” haven’t been helpful in this regard…. You don’t need to use flatpak, distrobox, etc if you don’t want to (although I would of course encourage flatpak usage) and you can definitely still nuke your filesystem if you really want to .

The real differences are more about getting used to a slightly different way of doing the same things, like: say instead of editing a file in /usr that you’re used to editing, you might now need to use a drop-in in /etc. Or instead of using dracut, you now use rpm-ostree initramfs. etc etc. Same functionality, new patterns to learn.

Edit: I really should have just made one big post

But in the video you say that desktop Linux is less secure than even macOS or Android.
Is the reality that desktop Linux, and even secureblue in this case, are putting me at greater risk? If so, then should I just move on from Linux to macOS/Android?

The better distinction to make is that the desktop OS options as a whole are just… really not great. iOS, Android, and in particular GrapheneOS are just leaps and bounds ahead of anything for desktop (aside from possibly chromeos, but that’s getting folded into Android last I heard).

Mobile systems have clear security boundaries, strong app sandboxes, a lack of root access for unprivileged users, thorough and robust mandatory access controls, I could go on… Is the average Linux system more secure than the average Windows or MacOS system? Hard to quantify and very user dependent… then again, how many linux users are running with no mandatory access control?

Then there’s the question of if you were to configure Windows/MacOS/Linux to be as secure as possible without fundamentally rearchitecting core system components, which would be the most secure? And for that, Linux unfortunately isn’t in the running. What secureblue does is, in acknowledgement of this unfortunate reality, try to achieve a maximally secure desktop linux system, which should ideally mean a system that is more secure than your average Windows system.

There are many aspects of security where Linux far exceeds Windows or other devices, and so a security-conscious person may still rightly choose to use Linux, absolutely.
When it comes to 0-days though it falls quite short, and there are many who are rightly concerned about this. We see stories about malware like Pegasus used against regular activists and journalists all the time. It would be hard to recommend desktop Linux for journalists as a general rule at the moment.

0-days are one of many many concerns… Desktop linux has fundamental architectural gaps. We’re working on filling those gaps in secureblue, but we’re starting at the bottom of a very tall mountain. Android on the other hand is a relatively strong base camp most of the way up the mountain, and so is a far better starting point by comparison . I could explain in more detail but this post is way too long already…

Totally

Linux is certainly not how I would design a secure operating system from scratch, but I’m mainly concerned with practical issues faced by real users, and targeted exploits are really the only way I see Linux users pwned in the wild, that was the only point I was making

Absolutely, I just meant Docker as an analogy of “tools that seem difficult to learn but make my life 100x easier once I bothered to learn them” which atomic systems also are

Why the focus on targeted exploits? Its extremely easy to write a malicious application/script for Linux and the only difficulty is tricking users into using it. Serve it as a tar file and you don’t even need the user to explicitly grant execute permission for this file.

Yep, untargeted, opportunistic attacks against desktop linux are reported all the time… I too don’t understand the focus on targeted exploits. @jordan ‘s video mentioned a few opportunistic pieces of malware. And here’s some opportunistic linux malware from a week ago Arch user-contributed browsers compromised • The Register

targeted exploits are really the only way I see Linux users pwned in the wild

Also, “targeted exploit” doesn’t mean “dependent on a zero day”. Desktop linux is insecure enough by design that an attacker might not even need a bug to exploit, let alone a zero day. They could leverage architectural gaps: known sandbox escape vectors, LD_PRELOAD attacks, etc etc… attacks that utilize architectural weaknesses in existing systems that are operating by design.

Or even easier, like @sha123 said, simply trick the user into downloading and running an executable from their browser (one of many reasons to discourage appimages)… No bug or zero day needed

Maybe this is covered in the video but are there any reasons to use Silverblue over SecureBlue? I’ve used Silverblue for years and loved it. I guess my question is why isn’t this being universally recommended over the fedora image? And why isn’t Secureblue in the general Linux distro section of the site?

I guess I’m just having trouble explaining myself today. I meant to imply I was talking about problems unique to desktop Linux. “User shoots self in foot” is of course a problem in a very general sense, but it is rampant on all available options here.

I have read mixed reviews about breakage in Secureblue within this community that would make me hesitate to do this. I would encourage you to use Secureblue and share your experiences here, so we have more data points to work with

I meant to imply I was talking about problems unique to desktop Linux.

Oh I see what you mean, yeah footguns on desktop are ubiquitous

I have read mixed reviews about breakage in Secureblue within this community that would make me hesitate to do this. I would encourage you to use Secureblue and share your experiences here, so we have more data points to work with

Yes please

There will always be ootb breakage introduced for certain use cases by the changes we make, otherwise we could just upstream everything to Fedora. That said, we also aim to provide toggles to unbreak use cases, which we have already for numerous situations. That said, if there are any gaps, we should fill them.

To add on to this specific point, while I don’t doubt this is theoretically possible, I can’t personally recall seeing any evidence of this happening to anybody in the real world, which suggests to me that this is more difficult in reality than in theory.

On the other hand, the stories that do exist about desktop Linux users being targeted by external threats do all rely on 0-days. As just one example: Facebook paid for a 0-day to help FBI unmask child predator – Sophos News

If you/anyone has a story about a desktop Linux user being targeted and exploited by a known issue though, definitely share. I could be forgetting something or unfamiliar.

It’s very possible that it hasn’t happened simply because so few people use Linux, but it doesn’t explain why the few stories we do have don’t rely on these known architectural gaps or bugs, which you would think is an easier approach.

If you/anyone has a story about a desktop Linux user being targeted and exploited by a known issue though, definitely share. I could be forgetting something or unfamiliar.

Much like CVE counting, I don’t think using news reports is a reliable or thorough mechanism for collecting data on this.

The number of silent attacks that are never even discovered let alone reported on likely outnumber attacks in the news by orders of magnitude… how would you even gather data on them?

Speaking of silent attacks, improving the system’s security architecture isn’t just about preventing attacks that leverage design flaws. Having a robust security architecture can mitigate the impact of zero days or other kinds of attacks. How many XZs are currently in our supply chains and go undiscovered? We shouldn’t be just waiting around for the next patch to fix the next disclosure. We should be hoping for the best scenario, but preparing for and assuming the worst. Jia Tan went undiscovered for years, and was almost not discovered at all. It’s not unreasonable to assume that somewhere in our current systems (foss or otherwise), there are yet undiscovered supply chain attacks.

Also, are you only including home users here? What about desktop linux users inside of large enterprises? Cases where a targeted attack could mean targeting an organization for its money, IP, data, etc. My point is that it’s not useful to talk about security in terms of the lowest common denominator or pathway of least resistance, because then you’re just playing whack a mole. If developers in the desktop linux stack were to start focusing heavily on security, and the rate of zero days were to fall, attackers using them would just move on to new approaches. Relying on CVE counts/journalists/news reports for security analysis is a reactive approach. Security needs to be proactive and in-depth. It’s this depth of proactive security that’s lacking on linux, as opposed to timeliness in fixing zero days (although that’s of course still important).

by a known issue

This was a consequence of a lack of proper sandboxing and a lack of userspace mandatory access control . Unintentional damage is still damage

which you would think is an easier approach.

If your options are to hire a red team to develop an attack vector pathway using known architectural weaknesses vs simply buying a zero day, I would imagine the zero day is cheaper.

I make the distinction between real-world reported attacks and theoretical security flaws, because I think it actually does make a huge difference for the end-user, and maybe we just agree to disagree on this point.

It would be a stupid approach for you (distro/app devs) to rely on these reports when figuring out what problems to fix. I just don’t think it is a bad approach for most users to follow when deciding what OS is suitable for them. What developers should concern themselves with mostly doesn’t overlap with what users should concern themselves with.

Many people have an extremely distorted view of what actually matters when it comes to security in their threat model, and these validated reports will paint a much clearer picture of the security landscape today.

Unfortunately, I just see too many security-minded projects cherry-pick theoretical exploits in their competitors to spread fear/uncertainty about, and that highly diminishes the value of knowing about those flaws for a person “comparison shopping” what product/tool/OS to use. Validated, real-world reports are far more valuable information in this situation.

How many people are using Windows because they read a cherry-picked list of problems with Linux which likely don’t apply to them? Certainly a non-zero amount, but because nobody wrote a similarly easily-shareable blog post about all of Windows’s problems, those problems are overlooked by these people. Taking a look at news reports about Windows exploits versus Linux exploits would have pointed them and most people in a better direction.