Which Debian-based Linux distro offers the best security?

PG has been unbelievably helpful as I move from the Appleverse to FOSS and privacy-respecting providers. The one area I am having trouble with is finding the right Linux distro. I know PG recommends Fedora or Tumbleweed for new Linux users. I have tried both – my problem is not with the distros themselves, but with their lack of compatibility. Many tools recommended here (Signal, Element, etc.) don’t officially support Fedora. Almost nothing officially supports Tumbleweed.

I know there are workarounds and unofficial ways of downloading these things, but I’m not yet (and may never be) comfortable going that route. It seems that for me to be able to do what I’m looking to do (get official support for all PG tools), I’ll have to go with a Debian-based distro.

I know PG recommends against Debian-based distros because of security concerns. I’m very glad PG makes that distinction because security is highly important to me (security concerns are the primary reason I’ve hesitated to leave MacOS.) But is there still a use-case for someone like me to use a Debian-based distro, or should I just stick with MacOS?

If so, which distro offers the best security? Debian, Ubuntu, Mint, Pop_OS! are the distros I’ve considered so far, but I’m open to any suggestion.

Thanks again to everyone who contributes here!

Yes definitely. I think the argument about outdated software is overstated, particularly as flatpak and snap become more and more common.

I personally think that Ubuntu is still a really solid choice for a distro, especially a first distro.

If so, which distro offers the best security? Debian, Ubuntu, Mint, Pop_OS! are the distros I’ve considered so far, but I’m open to any suggestion.

In the context of security, of the 4 distros you mentioned Mint would be my 4th choice (not that its horrible, but they haven’t historically prioritized security to the extent their upstreams (Ubuntu and Debian) do). Its not a bad distro in other regards (it was my first or second distro, and I really enjoyed it, and a great beginner distro).

I’d say Pop!_OS might be a strong option in another couple years. I have a generally positive impression of the work they are doing and the attitude and seriousness of the developers, but they are really focused a year or two in the future right now.

Debian wouldn’t be my first recommendation for a desktop distro, though its certainly an option, and I’ve used it in the past (still use it, but in a server context). It can be a great choice for a somewhat more experienced user, but its not the ideal choice for a first time linux user in my opinion. There is a security focused derivative called Kicksecure, I haven’t personally used, but I think its likely not he best choice for a beginner.

That leaves Ubuntu, its a solid general purpose distro, and security and reliability are top priorities in my experience (OpenSUSE and Fedora/RHEL, are also in this category in my eyes). If you want a Debian based distro that is both easy to use, and has pretty good security out of the box, Ubuntu 24.04 would be my recommendation.

TL:DR Ubuntu 24.04 is the Debian based distro I’d recommend to you

Debian is good. I’d also throw Linux Mint and/or LMDE into the mix. I think distros that have a good community get extra pluses next to their names. Such can help with support and be great learning experiences.

While Ubuntu is old as time and well known name, they kind of bloat their releases especially lately. I’d not recommend them unless someone really wants to use it, as the user experience may not be good, especially for someone’s first Linux.

If I had a Apple device, I would stick to MacOS. It’s a good compromise of security, privacy, compatibility and usability.

Latest Ubuntu Pro.

Ubuntu is made by Canonical; for-profit company. I would not fully believe them.

Id add that clean Debian is good. However, I wouldnt touch LMDE.

@Eazy whats your take on AlmaLinux?

They aren’t security focused. Fedora and openSUSE are.

I don’t know much about it, but it looks like it uses .rpm, not .deb. If I’m going with .rpm, I’d probably just stick with Fedora because I really liked it. The problem is that too much of what I want to use officially supports only .deb.

Could you name those applications?

This is super helpful, thank you! I was leaning Ubuntu because it seemed to me like they were more security-focused than the others – nice to see someone else confirm that.

For OpenSUSE, it’s Proton, Mullvad, Signal, Element, and a few others. For Fedora, the big ones that aren’t supported are Signal and Element.

Although now I’m realizing that OpenSUSE also uses .rpm, so does that mean that if there is Fedora/.rpm support, it will work with OpenSUSE? I’m primarily thinking about Proton

But I’m also concerned about future apps I’m not thinking about. It just seems like .deb is the default that every program adds before they get to .rpm.

I can help you to get all of your apps working.

Do you use Matrix?

It’s ultimately up to your threat model and values. MacOS seems to offer some security features that desktop Linux may be missing. I think it ultimately comes down to how much you trust Apple and the legal jurisdictions they may be subservient to, as well as whether or not your threat model necessitates that you take action to attempt to protect yourself from said entities to some degree or other.

If you find those entities to be trustworthy and non-threatening to you, then I suppose it would make sense to stick with Mac, strictly from a privacy and security perspective. Though I’d argue there are more factors at play when it comes to which devices and software people should use, such as how well they respect freedom and right to repair, among other things. But that’s kind of off-topic for this forum.

You might’ve noticed that Privacy Guides does have a soft recommendation for Kicksecure, a Debian-based distribution. But you also mentioned earlier that you’re not comfortable with using workarounds to getting official builds of applications, presumably because you’re unable or unwilling to use things like Toolbox which come with Fedora Atomic Desktops. If that’s the case, Kicksecure is definitely not for you.

I started a discussion not too long ago about having to use Debian-based distributions as an alternative to Fedora with one of the reasons being the lack of official RPM or Flatpak application builds. To save yourself some time from reading the whole thread, you can just read the summary of the conclusion I came to about Ubuntu. The short version is that Ubuntu (as well as other “just works” Debian-based distributions) probably isn’t as good as something like Fedora, but if Fedora doesn’t work for you, the latest version of Ubuntu is probably the next best thing. (Though @sha123 recommends the latest version of Ubuntu Pro instead, which I believe is only available for LTS… so I’m not quite sure which would be preferable.)

The reason I don’t recommend other Debian-based distributions is because they are either too difficult to use (such as Kicksecure) or not as secure (such as Pop!_OS, Linux Mint, etc) as most of them typically use X11, are further away from upstream, and are further behind in updates compared to the latest Ubuntu release. That being said, when distributions like Pop!_OS switch to Wayland, the potential security benefits of Ubuntu over their derivatives will shrink and those distributions can become more appealing alternatives. I’m not sure if I could ever recommend Linux Mint because of their terrible security track record, but if enough time passes without further incidents, maybe they won’t be so bad compared to Ubuntu (once they switch to Wayland, of course).

Exactly the kind of information I was looking for, thank you. I’ll definitely read through that thread.

I’m pretty set on leaving MacOS just because I strongly prefer the ethos of FOSS/privacy-focused organizations and want to avoid supporting/using the big tech players as much as possible.

I’d like go with a PG-recommended distro as soon as possible, but it feels like to start I really do need a .deb-compatible distro, at least until I get more comfortable in the Linux world. From what I’m reading, it does seem like Ubuntu is the least worst of the options.

Thanks for the help!

I use openSUSE Aeon and just have a Ubuntu distrobox where I can install .deb packages.

Kudos to you for caring, not many do.

A post was split to a new topic: Why aren’t LTS distros notorious for security breaches?

@Lukas let me paraphrase your words a little: not many people can abandon big players, because of work assignments, habits etc. it’s not always because they don’t want to.

Only a small number of people REALLY need big players. Examples of those people are the ones whose lives are built on using Adobe software.

You suggesting gamers/graphics designers?

Anyone who needs Adobe software to put food on their tables.