Ubuntu Core\Desktop + Kicksecure

anonymous120 · December 6, 2023, 5:59pm

Is it possible to use Ubuntu Core as a daily driver?

I couldn’t find any information on whether it uses a graphical interface like GNOME\KDE.

I feel insecure using Fedora Workstation\Silverblue. I am unable to make its security stronger by following tutorials I found outside. It was all very tiring, without finding support to reduce the attack surface as much as possible. The feeling I get is that the Linux community expects anyone approaching these systems to know programming or spend hours (days, weeks) researching, which in the end results in having to learn about programming.

It is exhausting to move from Windows to a system with a Linux kernel maximized for strong security and QubesOS is not an option for me.

I’ve been researching for months and I’m distressed, almost giving up on changing OS, because the feeling I get is that it’s very easy for some program, even without malicious intent, to gain access to some confidential data because of some memory leak, etc., between applications caused by the system architecture itself.

That’s why I’m interested in:
Ubuntu Core + Kickesecure. Or Ubuntu Desktop + Kickesecure.

I’m going with Ubuntu because it’s based on Debian (for install Kicksecure) and among the options I’ve researched it seems to be the most ideal for the average person with little knowledge of Linux in general. And Ubuntu Core because from my research it’s similar to Fedora’s immutable system, allowing less chance that I, or a relative or friend will break some program (or part of the system), or get spyware\trojan\rootkit, etc., in an “unintentional” way.

My threat model is related to passive attacks (malware from PDFs, etc.), mass surveillance and capitalist surveillance.

Opinions? Advice? Nudges? I’m open to anything. Good night to you!

(English is not my native language. Forgive any mistakes or rudeness, it’s not intentional, please)

Voln · December 6, 2023, 6:52pm

I don’t have any relevant experience using Ubuntu or Kicksecure, so if you’re absolutely set on that, that’s fine and hopefully someone who can help will come along and chime in. However, I wanted to touch on a couple other points in your post.

Can you elaborate on why you feel insecure using Fedora? Especially since your threat model seems fairly average and in-line with the general recommendations, following them seems like it would be a great starting point for you!

An important note is that comparing Windows to Linux is comparing one operating system to dozens. There are going to be some Linux distributions that are more user-friendly and others that are very technically complicated. Further, there may be options or considerations that are presented to you when using a Linux distribution that you never encountered when using Windows. This is all to say that you could spend an immense amount of time and effort creating the most secure Linux environment possible, but the amount of time and effort to create an environment similar to what you are used to with Windows may be relatively small.

A final comment: feeling exhausted and overloaded by information is totally understandable. It’s a classic saying around here, but remember not to get too lost striving for perfection that you lose out on good enough! Think about trying to create a solid foundation initially, and building on top of it when you find the time, energy, and motivation to do so.

SkewedZeppelin · December 6, 2023, 7:05pm

Fedora + my Brace is far easier and more up to date, and you get other benefits like the GrapheneOS hardened memory allocator and my real-ucode package for newer microcode.

https://fedoraproject.org/
GitHub - divestedcg/Brace: Toolkit compatible with multiple Linux distros that allows for installation of handpicked applications, along with corresponding configs that have been tuned for reasonable privacy and security.
GitHub - divestedcg/rpm-hardened_malloc: Unofficial micro-architecture optimized hardened_malloc package
GitHub - divestedcg/real-ucode: All the microcodes, but packaged!

It must also be noted that immutability offered by current atomic Linux distros is NOT a security feature. And I’d argue their reliance on 3rd parties like Flathub and Snap potentially increase risk over official first-party repositories.

Honolumbus · December 14, 2023, 9:31pm

You may want to check this out.

Ganther · December 17, 2023, 7:16pm

What’s the official way of installing it? Building it from source?

Sorry I’m on my phone so if there is an official way of installing it in Fedora I’ve missed it.

Edit: Am I correct in that the best way is to use the Fedora CI RPM?

SkewedZeppelin · December 17, 2023, 7:32pm

@Ganther
the correct way would the gpg signed releases:

sudo dnf install https://divested.dev/rpm/fedora/divested-release-20231210-2.noarch.rpm
sudo dnf install brace
#the next steps are optional but recommended
sudo brace-enable-rpmfusion #if you want foss but patent encumbered codecs
sudo dnf swap mesa-va-drivers mesa-va-drivers-freeworld --allowerasing #to fix hardware video acceleration
sudo brace-installer #to install recommended programs
sudo brace-supplemental-changes #for additional global changes
brace-supplemental-changes #for additional user changes
sudo dnf install firejail hardened_malloc && sudo firecfg #for extra security

note adding the repo automatically pulls in real-ucode
the list of packages divested-release can provide is also hardcoded to prevent any other replacements

Topic		Replies	Views
Hardening Fedora Questions software	1	431	April 17, 2024
Linux vs Open Core Legacy Patcher for an old MacbookPro? Questions	8	1059	February 15, 2024
Is it worth getting system76? Questions	4	672	March 28, 2024
Ubuntu 22.04 security – Snap, Flatpak, AppArmor, UbuntuPro Questions	1	797	November 22, 2022
IME, Coreboot, what about it? Questions	12	485	December 26, 2023

Ubuntu Core\Desktop + Kicksecure

Related Topics