Yes, I have already commented on this in the secureblue thread.
Eventually secureblue users will want to use other browsers. There’s a general recommendation in the secureblue you suggested to use bubblejail only if the flatpak package of the applications is not going to be installed. There is no mention of whether the hardened chromium browser uses bubblejail or not, nor whether it is necessary for browsers. If there is something missing here, it might be worth mentioning it.
On that note, I chose the non userns version, which I know talked about bubblewrap. Does this mean bubblewrap will still work with flatpaks?
The reason I ask is because my browser of choice has been Librewolf and ideally I’d like to stay with it, but I’m guessing Chromium has been chosen in SB for a reason, so is it a bad idea to use Flatpak Librewolf instead of the bundled Chromium? I don’t really mind Chromium, I just like the familiarity of what I’m used to.
Either they don’t mind sacrificing security, or there are things that are not as important as claimed.
The former. Brave in particular. For example they have also opted to retain MV2 support. They are willing to sacrifice security for convenience / “privacy”.
So how can immutable -and traditional- distributions be secure to use browsers?
The lack of userspace confinement for desktop linux apps is a fundamental flaw in desktop linux security. It’s not specific to browsers. The problem with browsers is that you unfortunately have to choose between:
a weak sandbox for chromium itself that also unfortunately breaks the browser’s robust internal sandboxing
no sandboxing for chromium but preserving chromium’s robust internal sandboxing
#1 seems like a terrible idea, #2 is less than ideal but highly preferable.
Modern browsers have a multi-process architecture, with sandboxing around the important processes, for example renderer sandboxes, gpu sandbox, extension sandbox and so on. This way you can make these sandboxes much more tailored and thus stricter than you would be able to do around the browser as whole.
Install them not as a flatpak. That’s independent of distros and doable on immutable ones, too.
@sha123 You have already expressed these views in the hyperlinked threads I have attached to my posts and more. I have benefited a lot from your views in the past months, and you have helped me to search for more accurate information in other sources. I thank you for that.
Since this thread is more focused on distributions based on Fedora, I wanted to know if other browsers installed from traditional packages should be restricted by tools like bubblejail, firejail. As we can see the OP is considering using a browser based on Firefox not hardened Chromium.
As for if you should, I don’t. Browser is a complex OS-like application on its own, and I trust my browser to not access my filesystem or my system maliciously. I also trust chromium sandbox to prevent malicious attacks from escaping. If you are looking for a definitive answer, ask security experts ig (although I haven’t seen any serious conversation between experts that recommends sandboxing browsers explicitly on Linux, outside of hobbyist users on forums.)
Basically then I’m going to to follow all the post install recommendations, and use it as is (other than maybe adding uBO lite and my VPN app. Sounds like I don’t need to worry about additional sandboxing. I assume I should apply all updates as soon as they become available, and they are updates from Fedora, not SB - and they will all play nicely with SB tweaks?
I am sorry if I got that wrong.
There used to be a table with all the Vanadium patches and marking which were/weren’t included and why, no? I can’t seem to find it…
A bit of feedback for @qoijjj from a linux noob’s perspective:
I think the post install documentation could be easier. I’m getting lost in the steps required
A few examples:
ujust enroll-secure-boot-key
It rebooted to BIOS and I had to select options on a menu, I think I’ve done it right but not sure how to verify.
GRUB
Is this a password required for modifying boot entries (order) in the BIOS? Not really sure what the expected result is. However I did notice the disk encryption password that I was having to enter on boot is now not coming up anymore for some reason?
I skipped the wheel section and went on to do bash lockdown and LUKS TPM2 sections.
When I now try to do the wheel section - adduser admin, I get the response
User add : Permission denied
User add : Cannot lock /etc/passwd - try again later
Maybe it’s because I didn’t do the list in order? Also it mentions about rolling back to a snapshot but wasn’t sure how to create one. Also in discovery software centre its not showing anything and saying not connected when I am.
Maybe it’s just a sign that if I can’t navigate through the post install instructions then I’m out of my depth (I know that’s the case really!)
Your post was flagged as spam: the community feels it is an advertisement, something that is overly promotional in nature instead of being useful or relevant to the topic as expected.
In my humble opinion, you probably should’ve went with something easier to use, like openSUSE Aeon for example which requires little to no maintenance and is quite fine for Linux beginners.
Yes, but it’s pretty much finished, according to them:
RC3 may be the final Release Candidate before Aeon’s official release. There are no major structural changes planned to the core Aeon OS, just regular improvements as upstream versions develop and our community contributes to new features and packages.
