I may be missing something here, but they have an Atomic Distributions section of which the first listing is Fedora Atomic Desktops, and I thought Silverblue is one of those, so does that mean that PG recommends Silverblue?
And my understanding is that Secureblue is adding some hardening. I could just use Silverblue ootb which seems valid because I don’t really understand what Secureblue really does and what benefits it brings me. Also it doesn’t seem widely adopted at present, and to me numbers of users / number of stars on github etc count as a good gauge of how good something is.
Out of interest, how are those issues different on Secureblue. i.e why does SB not require maintenance and command line? You mean opinionated choices like certain browsers, password managers etc are installed by default whereas SB comes with no preinstalled apps? If it’s locked down, could that be good for me if all I want to do is use a browser and not fiddle about with it?
Tbh I really just need to make a choice and get on with it, as for a noob like me, most of the the debate / info goes over my head anyway
Yes, it builds upon fedora silver blue. It’s not a new OS by itself.
Read their GitHub and FAQ. It reduces a lot of open attack surface present in traditional Linux setups and Gnome DE.
Silver blue and secure blue both are atomic systems. Think of it as this: there are 2 sets of files on your computer. One set is files used by you (downloads, music, etc.). And the other set is files used by the computer. (OS files, application config files, etc.). Fedora atomics lock the system files, and thus don’t allow user to make modification to them. This means you can’t break your setup by running some random command, and you won’t have to deal with applications leaving their files all over the filesystem. Installing and uninstalling applications does not load your filesystem with garbage. It also makes updates easier, since it uses a system where it actually creates a new system when updating, and then boots you into the new system when you start your computer again. This means you won’t have to deal with updates while working, and updates won’t be partial (or break your computer). If something does break, you can go back to the previous version of your computer easily.
Silver blue and Secureblue come only with the default packages, outside of the chosen browser (silverblue uses Firefox, secureblue uses hardened chromium).
Use what you want to, I have already contributed what I could to this discussion. My recommendation is secureblue. If you did not want an actually hardened system, then go with any atomic recommended distro. Your usecase was browsers and no fiddling, both of them are satisfied by either of the above depending on whether you want hardening or not.
Feel free to consider other options here, but do remember a lot of Linux users and developers are absolutely ostriches when it comes to user experience and security (they’d rather bury their head in sand and keep recommending the same old failed Linux desktops rather than look at stuff like SteamOS, Secureblue, atomic distros, etc.)
I’m going to try out Secureblue as per @Anon47486929 's recommendation. If I find myself struggling with it after a week or two then I’ll consider something more mainstream like Mint as per @null 's advice.
One other question regarding the chromium browser in SB. Would it be recommended to use any extensions such as ublock / privacy badger / decentraleyes etc etc. If it makes a difference, my router already has adguard home on it with some filtering lists.
I completely agree, but the OP is not using it as their daily driver, and just for internet browsing and saving files. I’d immediately suggest openSUSE Aeon which perfectly fits into that category. However, since they asked about SecureBlue, I thought Brace would be a fine choice, since SecureBlue requires configuration.
As far as I can see in the Linux world, there is not a consensus on how browsers should be installed on a system, and as a consequence there is a divergence of practices. At the center of this issue is the question of whether the security features of the browsers are compromised.
Firefox and Brave browsers have official flatpak packages. On the other hand, there are reasonable arguments that their flatpak packages reduce or remove their security features. So why do the developers of those browsers release official flatpak packages? Either they don’t mind sacrificing security, or there are things that are not as important as claimed.
openSUSE Aeon recommended here includes Firefox’s flatpak package.
Let’s say we installed the browsers with the traditional package types and source tar files, SELinux does not contain policies restricting user applications. Tor and Mullvad browsers are also recommended to be installed directly from the source archive, so they will also have unrestricted access to sensitive files etc. on the system.
So how can immutable -and traditional- distributions be secure to use browsers?
I am not familiar with Firefox usage as either flatpak or any other format. I do know Firefox has its own memory allocator implementation, and its own “sandbox” in desktop, but not much more.
I can comment more on chromium. Chromium engine needs direct access to OS resources for it’s sandbox and process isolation to work as intended and thus it’s always better to layer it (directly install using rpm-ostree or equivalent) in atomic and install using package manager in traditional distros. Using chromium flatpaks is not how it’s supposed to be.
Now to make chromium derivatives work as flatpaks, the packagers use another, weaker sandbox called zypak. This is what Brave, Chrome, etc. use. This allows them to make flatpaks (and thus gain more share among users) with only slight damage to security. Why do they do this? For the same reason mobile applications tend to be present as both iOS and Android, in arch64 as well as universal apk - To capture people who stick to specific formats and types. Since they can do so with only minor damage to security, they ship “official” flatpaks.
So ideally, you should be installing chromium browsers not as flatpaks, but by layering or direct installation.
With regards to secureblue: They ship their own hardened chromium with vanadium patches as system browser, you ideally don’t need anything else (alongside UblockOrigin Lite)
I understand that Linux security doesn’t even come remotely close to Android’s, so I threat model accordingly and don’t care if flatpak versions are less secure.
I don’t even log in to my password manager on my PC, that’s how much I trust desktop OSs.
Ok so I’ve installed SB, followed the pre-install recommendations, and rebased as per the readme.
For the post install it says " After installation, yafti will open. Make sure to follow the steps listed carefully and read the directions closely."
Does anyone know if that was the screen that popped up that said welcome to Secureblue? I accidentally closed that window and now I’m not sure how to get it back up to follow the steps.
The same goes for Windows and any other Linux distribution. MacOS is the only mainstream desktop OS that I would trust and log in to my password manager.
No offense, but your link doesn’t talk anything. It’s a link to a forum question asked 1 day ago about Firefox with no responses. So I would prefer if we don’t imply that the link was useful in any way in knowing what your exact concerns are.
Go pester the devs about it ig. Don’t know what you want me to say. I agree with you that users should be made aware about this. But seeing as how Linux users react to being told Firefox is insecure, Linux is insecure compared to Windows and MacOS, etc. I don’t think most users would be receptive to being told Flatpak is not the silver bullet solution they think it is.
I think you have a misunderstanding about fedora security model. SELinux is a kernel level MAC that confines system process in fedora.
Because SELinux is implemented within the kernel, individual applications do not need to be especially written or modified to work under SELinux
You might be asking about bubblewrap, the application sandbox underlying flatpaks. If you use a flatpak, then yes bubble wrap exists.
If you are asking if non flatpak browser is confined, then I’d recommend you go through the fedora docs and secureblue hardening guide, and understand it from the primary source how applications are usually confined. That might also help dispel certain ideas that are incorrect about how fedora and it’s derivatives work. Secureblue does not write custom selinux policies, it merely enables flags already present in the kernel.
