XFCE and LXQt also secure privileged Wayland protocols.
GMOME is the only recommended DE used in Secureblue, as itās the only Wayland DE that has locked down specific application sharing of things like the clipboard and screenshots I believe.
EDIT: seems like KDE Plasma version 6.5. is secure now, and that Sway is making strides too.
GNOME and KDE are otherwise the only options. KDE is completely and forever memory unsafe (asked the Devs, never leaving Qt or even allowing Slint into core KDE apps), and GNOME is simply far behind.
@anonymous261, what are they referring to? The fact that they use C++?
I think they are referring to that, although currently, both GNOME and KDE are not mostly written in the safest languages. Additionally, by the time GNOME could make progress on that front, COSMIC may already be out.
A user of F42 Workstation hereā¦
@SkewedZeppelin While Brace is not something I would use personally, I did learn of some noteworthy settings from the repo. I also ended up uninstalling sushi and yelp after reading this topic, so thanks for all the info.
Some things Iād like to add:
-
Apparently,
disable-microphonedoes nothing right now. Likely wouldnāt hurt to keep it disabled, though. -
Consider adding
org.gnome.calculator refresh-interval 0to prevent GNOME Calculator from periodically fetching exchange rates, which it does by default. (Anyone remember Subgraph OS?) -
The
org.gnome.desktop.lockdownsection also may be of interest.
I want to like KeePassXC, but itās stuck with Qt5 for the foreseeable future, and has yet to transition to Wayland properly.
For what itās worth, KeePassXC is officially available on Flathub. But at least on GNOME, thereās this:
For those who have installed Gnome Calculator as a Flatpak, the command is slightly different:
flatpak run --command=gsettings org.gnome.Calculator set org.gnome.calculator refresh-interval 0
Alternatively, one could disable network access for Flatpak apps globally with flatpak override --unshare=network, and then grant this permission to apps on a case-by-case basis (e.g., flatpak override -u --share=network org.mozilla.firefox).
See also:
@anonymous261, as in, memory-safe? If so, at least thereās a very informal roadmap to improve this on KDEās side:
Thereās also a very significant debate about it over at their Discourse instance:
I guess this is not the case any more with KDE Plasma version 6.5.