XFCE and LXQt also secure privileged Wayland protocols.
GMOME is the only recommended DE used in Secureblue, as it’s the only Wayland DE that has locked down specific application sharing of things like the clipboard and screenshots I believe.
GNOME and KDE are otherwise the only options. KDE is completely and forever memory unsafe (asked the Devs, never leaving Qt or even allowing Slint into core KDE apps), and GNOME is simply far behind.
@anonymous261, what are they referring to? The fact that they use C++?
I think they are referring to that, although currently, both GNOME and KDE are not mostly written in the safest languages. Additionally, by the time GNOME could make progress on that front, COSMIC may already be out.
A user of F42 Workstation here…
@SkewedZeppelin While Brace is not something I would use personally, I did learn of some noteworthy settings from the repo. I also ended up uninstalling sushi
and yelp
after reading this topic, so thanks for all the info.
Some things I’d like to add:
-
Apparently,
disable-microphone
does nothing right now. Likely wouldn’t hurt to keep it disabled, though. -
Consider adding
org.gnome.calculator refresh-interval 0
to prevent GNOME Calculator from periodically fetching exchange rates, which it does by default. (Anyone remember Subgraph OS?) -
The
org.gnome.desktop.lockdown
section also may be of interest.
I want to like KeePassXC, but it’s stuck with Qt5 for the foreseeable future, and has yet to transition to Wayland properly.
For what it’s worth, KeePassXC is officially available on Flathub. But at least on GNOME, there’s this:
For those who have installed Gnome Calculator as a Flatpak, the command is slightly different:
flatpak run --command=gsettings org.gnome.Calculator set org.gnome.calculator refresh-interval 0
Alternatively, one could disable network access for Flatpak apps globally with flatpak override --unshare=network
, and then grant this permission to apps on a case-by-case basis (e.g., flatpak override -u --share=network org.mozilla.firefox
).
See also: