Vanilla OS is a semi-immutable atomic distro based on Ubuntu, that features the apx package manager. This awesome program gives you dedicated, isolated containers for all the major distros, and the ability to install apps from those sources that are fully integrated into your system, eg apx --apt instal for Ubuntu apps, apx --dnf install for Fedora apps, and apx --aur install for Arch apps. This works for command line and graphical applications, and it also has Flatpak with Flathub and nix out of the box, so you can install pretty much any Linux app.
I said “semi-immutable”, because there is a command to enter the root partition (sudo abroot shell), for doing things like installing drivers, but they recommend doing this as little as possible. It makes it a much better solution than Fedora Silverblue for the average user, with all this flexibility. I think it deserves a spot on the recommended Linux distro list. It is aiming to be beginner-friendly eventually, but it is still recommended to have good Linux knowledge to use it for now.
Last time I checked, VanillaOS didn’t have a way to enable disk encryption during install. Until this changes, I’m not sure it should be considered.
Other than that, however, I do agree, VanillaOS is a really interesting project and worth keeping track of for future developments. Another project that does a similar thing is blendOS.
Probably not. Something more faster than whatever their cadence is more desirable. Something based on Sid is probably desirable but that might introduce breakages for the user. Although I’ve heard elsewhere that Sid is pretty much becoming more and more stable these days.
They’re not really isolated, despite being advertised as “a sandboxed environment” Chronos all apx is, at least now is a very bare bones wrapper for distrobox which explicitly states sandboxing is the opposite of their goal https://github.com/89luca89/distrobox#security-implications (although they may add a sandboxed mode at some point)
Don’t get me wrong, I like the idea of having an immutable base and installing all user apps in sandboxed containers, but it’s not quite there yet and doesn’t yet provide the level of isolation they seem to imply in their docs.
This looks interesting, just have a couple questions:
This looks pretty similar to Advanced Intrusion Detection Environment (AIDE), how is it different and what advantages does it bring?
Does it make use of Linux’s Integrity Measurement Architecture (IMA)? Why or why not?
Not bad as long as it’s optional, although the only real use case I ever have for it is the compliance checkbox in enterprise settings.
Also of note is picosnitch which has the option of checking programs with VirusTotal which has much better detection and community ratings.
Thanks for you work on Vanilla OS! It’s starting to tick off more and more of my check boxes.
Hello! I’m the developer of FsGuard and a VanillaOS developer (Monster notified me of this thread)
This looks pretty similar to Advanced Intrusion Detection Environment (AIDE), how is it different and what advantages does it bring?
I’ll be completely honest, I was not aware of AIDE when writing FsGuard, both seem to be doing the same, with the difference that FsGuard also checks if a file has the suid bit, and modifies it according to the initial database.
Does it make use of Linux’s Integrity Measurement Architecture (IMA)? Why or why not?
No, it does not use IMA, my main reason for that was that IMA requires specific options to be enabled in the kernel configuration, which is why FsGuard has it’s own system. Although I could imagine adding support to utilize IMA in the future.
Not bad as long as it’s optional, although the only real use case I ever have for it is the compliance checkbox in enterprise settings.
Yes, current plans are to make it opt-in, since we are well aware that some people report high cpu/memory usage when using clamav
Also of note is picosnitch which has the option of checking programs with VirusTotal which has much better detection and community ratings.
I am a user of picosnitch myself, but I never thought of shipping it in VanillaOS, it could be considered for a future release.
As a former AIDE user currently looking for something better, the biggest area of improvement is the the signal to noise ratio. AIDE requires lots of configuring to get right, so if FsGuard already has good out of the box defaults it’s miles ahead in my books. This means checking all the right system and configuration files to monitor, and omitting frequently changing log/tmp files, and omitting package updates if the changed hashes match the upstream hashes.
This would be a nice feature, especially if I don’t have to customize the kernel myself and just install whatever is required from your repos. I can see why you’d add your own system first though since a kernel with IMA probably has too much of a performance trade off for most users, especially for gaming I imagine.
I would like this too, especially since I think it would need to be installed on the host instead of inside a container, and I am not sure how easy this is to do on Vanilla OS with immutability.
The release notes for Vanilla OS 2 (Vanilla OS) include “Orchid takes your data security seriously, this is why we suggest encrypting your personal data by default, ensuring it stays private and protected from unauthorized access.” which suggests that disk encryption is an option during install.
Yes, Orchid has an option in the installer to encrypt your /var partition (and user files are stored in /var/home, like Silverblue). The rest of the root is immutable/atomic, and protected by FsGuard (which was explained by its developer earlier in this thread).
I tried Vanilla OS Orchid for a bit… just to switch back to Fedora very quickly.
I noticed a few things:
Installation is takes long time (probably because of this A/B partition scheme)
If you have a bad connection, finishing the app installation takes also a very long time (because every app it installs is Flatpak)
The subsystems via apx didn’t worked at all (failed immediately with exit code 255)
no Secure Boot support (the handbook of the previous version says “Good to have Secure Boot enabled” - didn’t got to the login screen after unlocking the disk)
uses X11 instead of Wayland (unsure if it’s just with Nvidia drivers or always)
The project has potential definitely, but it’s currently not ready imo to be mentioned on Privacy Guides if you ask me.
I apologize for reviving this conversation, but is there going to be any progress with adding VanillaOS as a recommendation, or is it going to be rejected? VanillaOS Orchid 2, was released a a few months ago
It is unfortunately not rolling release, however. It does support full disk encryption. It almost fits the criteria below, with a few issues:
Free and open source.
Receives regular software and kernel updates. (No, it’s point release like Debian)
Avoids X11, as its last major release was more than a decade ago. (Uses GNOME)
Supports full-disk encryption during installation.
Doesn’t freeze regular releases for more than 1 year. (No, it’s point release like Debian)
Supports a wide variety of hardware.
Preference towards larger projects. (It’s not…)
(No, it’s point release like Debian)