Thoughts on Universal Blue (Bluefin, Bazzite, Aurora)

Ublue.it
Ublue is a container focus dostro which is built using fedora and ostree.

Please put more effort into your posts. As Jonah recommended in a thread you opened more than a year ago,

I would recommend reading Linux Overview - Privacy Guides, and if you have additional desktop OS recommendations you can create one new thread in the Tool Suggestions category here for each one, as long as reasons why it should be added instead of just a link to their website.

Include ublue images

Please make your case (in more than 3 words)

Why do you believe uBlue should be recommended instead of (or along with) the currently recommended distros? And which specific uBlue image would you like to see recommended?

What Privacy and/or security advantages does uBlue have that would warrant a recommendation over the dozens of other good Linux distros out there (especially Fedora Workstation, and Fedora Silverblue which are already recommended).

Universal Blue as a project is interesting to me, I have Bluefin installed in VM right right now, but I am not sure it has any standout security or privacy features that warrant recommending it officially at this point in time. And in terms of security I tend to have a bit of a bias towards larger well established upstream projects, than smaller less established projects if there focus isn’t specifically security (e.g. Kicksecure). That said, I’m only mildly informed about uBlue, if you are aware of specific ways in which it improves upon the security or privacy of Fedora Atomic distros, I’d be really interested to hear more about them.

This includes all the codecs and everything that is needed to run a system and secondly this works out of the box for all systems. With better battery life.
And all other details are already covered in their website.

For anyone who’s curious: Universal Blue is a family of dozens of unofficial Fedora Atomic images. They all feature QoL additions such as rpmfusion codecs, as well as other software.

Aurora and Bluefin are their featured KDE and Gnome images. Aurora is just vanilla KDE with more preinstalled software. Bluefin tweaks the Gnome shell to offer an Ubuntu-like desktop.

I think these images do offer a better experience than the upstream Fedora Atomics. New users exploring Fedora Atomic will likely find these helpful.

On a related note, Secureblue, which we’ve discussed previously, is a UBlue descendant.

Was there a follow up to this discussion? I was just debating if I should try Kinoite when I found about this ublue project.

Honest, I’m not a big fan of those small projects modifications. It isn’t clear at least for me if there are big gains trying it over Kinoite.

What about codecs?

Everything you need is included.

How is this different from Fedora Kinoite?

Other than the visual differences, and codecs, there are some other key differences between Bluefin and Fedora Kinoite from a usage perspective:

** Aurora takes a greenfield approach to Linux applications by defaulting to Flathub and brew by default*

** Aurora doesn’t recommend using Toolbx - it instead focuses on devcontainers for declarative containerized development. You can use Podman or Docker to run and bootstrap your containers.*

** Aurora tries to remove the need for the user to use rpm-ostree or bootc directly*

** Aurora focuses on automation of OS services and upgrades instead of user interaction. Upgrades are automatic and silent, so you never have to think about it again.*

Starship is not for me, how do I disable it?

You can remove or comment the line below in /etc/bashrc to restore the default prompt.

Source: Introduction to Aurora - Docs - Universal Blue

With ostree based systems, it’s quick and easy to switch to entirely different images. So you can start with Kinoite, then use ‘rpm-ostree rebase’ to switch to ublue, aurora, or secureblue, and switch back if you don’t like the changes.

I am fairly familiar with Universal Blue and with their website.

I was asking you to make the case, because (1) you are proposing it be an officially recommended, and (2) I’m not aware of any privacy or security related advantages universal blue has over Fedora, Silverblue, or other already recommended distros.

I have a mostly pretty positive opinion of uBlue as a project for hobbyists and diy-ers, but I haven’t seen any reasons why it should be specifically recommended by PG over the hundred or so other desktop linux distros, or over the currently recommended distros, and I do see potential risks to officially recommending small and new-ish forks with lots of feature churn/active development, that fall (somewhat) towards the hobby project side of the spectrum (though tbf it’s not entirely fair to characterize uBlue as a hobby project).

Are there specific privacy or security qualities that lead you to want Universal Blue to be added, or would it be fair to say you are more or less looking for a PG seal of approval for a distro that you like for personal reasons unrelated to privacy+security?

I’m not the OP, but I agree that this post should advocate for the request. When considering their project, one aspect that could be highlighted in favor is its potential to be more “approachable” for a new Linux user.

On the other hand, there are a few concerns to address. From a security perspective, we would be introducing a “man in the middle” to handle the updates from Fedora, which, in my opinion, presents a potential disadvantage. Regarding privacy, if I’m not mistaken, Homebrew includes Google Analytics by default, and it is up to the user to deactivate it.

Personally I wouldn’t consider universal blue images (or any immutable Linux distro currently) to be more approachable for a new Linux user. A couple years down the road, I think that Bluefin could be.

While it has some small conveniences like pre-installed codecs or nvidia images, that are sometimes nice to have by default, but it also introduces a lot of new, somewhat obscure, and in some cases fairly inaccessible/esoteric or niche features and concepts that are geared more towards power users than new users.

I think that in 1-3 years Bluefin might be a great option for newer users, but its not a distro I would recommend to inexperienced users at this point personally (despite my support for the goals of the project). I do think in the future, immutables, will eventually become a good recommendation for new users, but I don’t think we are there yet.

Also worth noting that things like installing codecs on the base image is only needed if you have a reason to do so, flatpaks are the preferred method of installing applications with immutable distros, and flatpaks don’t need (or benefit from) codecs being installed to the base image as far as I understand.

I don’t recall your experience with Linux, but if you are a new-ish user (or even if you are not) I’m curious what your experience with universal blue or any other immutable distro has been like so far?

Well, I’ve been preferring Silverblue for new Linux users who have basically Chromebook type requirements, if I’m setting it up for them initially.

But for new users installing it themselves or users who are actually interested in learning about Linux instead of just their web browser, then yeah probably not.

I think this type of user/use-case (an inexperienced user who is only a user / won’t administer or setup their own system and has very basic needs) is the ideal user/use-case for immutable Linux distros. Immutables really shine in this context.

But for inexperienced users who’s needs exceed the bare basics by just a little bit, or who need to diverge from the defaults just a little bit, and won’t have someone else to setup their system and rely on for tech support, I think Linux immutable are not yet the optimal choice (but I expect this to change with time as things mature, documentation improves, and the userbase grows).

I don’t have a strong formed opinion on this. I didn’t use an atomic Linux distro before. I heard many saying it is the future. I’m attracted by the version upgrade aspect that seems to be quite easy compared to their traditional counterparts. Anyways, back to the main question, probably the ublue distros don’t make a case to continue discussing their entrance into the recommended distros by the PG guides.

Secureblue might be worth a better recommendation

3 posts were split to a new topic: Would an atomic Linux install prevent Crowdstrike-like issues?

I’m resurrecting this old topic with a question.

Is anyone aware of any specific security or privacy regressions or downsides of Bluefin and Bluefin DX compared to upstream (Fedora Atomic / Silverblue)?

Not really, but what does it offer over Fedora Silverblue?

The main downside to universal blue is the additional software and sources adds attack surface. You are trusting the universal blue devs and the software they choose to add to the images, in addition to Fedora.

As for benefits, the main are:

• Automatic updates in the background. Fedora Atomic generally don’t update without user approval, but universal blue runs all updates automatically.
• rpmfusion codecs (needed for AMD/Intel hardware video decoding, improves power/performance efficiency for video playback)

Various (mostly small or structural) differences ^[1], that don’t relate directly to privacy or security, and a slightly different set of design goals and priorities.

The TL;DR of why I’m interested in it, is simply that the base image is a little closer to how I’d prefer it to be ootb compared to Silverblue, and I find the design philosophy appealing (or at least interesting). But it comes down to my personal preferences, not privacy/security or anything being objectively better.

I personally view uBlue as more of an extension of Fedora Atomic Desktop, not an alternative distro/set of distros

As @dumpster correctly notes, there is an additional (smaller and less well established ) 3rd party to trust (trust to be competent, trust to be reliable, and trust to be responsible). That is a factor that should be taken seriously.

1. I need to refresh my knowledge on the specifics, but some examples are distrobox and codecs in base image, flathub ootb, tailscale ootb ↩︎