cross-posted from: https://lemmy.ml/post/12400033 (Thank you https://lemmy.ml/u/Kory !)

I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I’ve been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn’t work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I’m not a fan of atomic distros I will be using that. To @leraje@lemmy.blahaj.zone, your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!

  • The 8232 Project@lemmy.mlOP
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    Great questions! I’ll try to answer as best I can.

    Is Qubes OS not ready yet for your intended workflow/usage? Or are you not ready to make the complete switch (yet)?

    Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be “both”. I am willing to tackle and overcome, but I’m not ready to put in that work yet, if at all.

    Unfortunately, in almost all cases, increased security/privacy is achieved through the loss of convenience. Therefore, you should ask yourself what the minimum level of security/privacy is that you absolutely require/need. How’s your threat model defined (if at all)?

    I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the “strictest threat model possible”) and work backwards to find out what I was willing to allow. I succeeded, but because I had gone too deep before I learned what a threat model was, I never made a clear threat model. I have a “subconscious” threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against “evil” corporations, and such, I must also protect myself against some low level government threats. My threat model “philosophy” is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.

    You are the third person to recommend SecureBlue (I’ve been keeping track), and since it is a “Fedora Atomic spin” (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is. By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS for the rest of my life. I wish there was a true “Linux alternative to GrapheneOS”.

    • Throwaway1234@sh.itjust.works
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      Thank you for your elaborate answers!

      Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be “both”. I am willing to tackle and overcome, but I’m not ready to put in that work yet, if at all.

      Qubes OS is definitely more involved than the average distro, so I can understand why you feel that way.

      I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the “strictest threat model possible”) and work backwards to find out what I was willing to allow.

      Hahaha 🤣, very relatable; I almost wanted to learn SELinux for hardening purposes. Thankfully, Qubes OS exists as my endgame, which deterred (most of) the motivation (and need) to comprehend SELinux in the first place.

      I have a “subconscious” threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against “evil” corporations, and such, I must also protect myself against some low level government threats. My threat model “philosophy” is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.

      We can work with that, though I kindly implore you to further work out your threat model. It will(/should) give you some peace of mind (or at least a security/privacy roadmap on which you can (slowly but steadily) work towards). If I would have to distill your philosophy, it would be something like “be protected from attacks targeted towards low(er) hanging fruit”. Would that be fair?

      You are the third person to recommend SecureBlue (I’ve been keeping track), and since it is a “Fedora Atomic spin” (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is.

      Great choice! FWIW, I’ve also been on it for a couple of weeks now and I’ve really been enjoying it. Before, I had my own custom image that was built using the (legacy-)template from uBlue. I tried to harden it myself 😅, and I would argue I did and achieved some cool stuff with it. But, it’s very clear that my technical knowledge doesn’t even come close to that of secureblue’s maintainers. I just wish I had rebased earlier 😅.

      By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS

      I definitely agree with that sentiment. Btw, FWIW, I know for a fact that at least one individual that’s associated with GrapheneOS has ‘contributed’ to secureblue.

      I wish there was a true “Linux alternative to GrapheneOS”.

      Hehe, without going into what that actually means and would entail, I agree 😜.

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        9 months ago

        I just wish I had rebased earlier 😅.

        No you dont haha. I used it in a VM, then on a seperate SSD. In the beginning it was a total mess with random packages removed and we needed to find out ways to disable stuff like printing, so they can be added back.

        Btw if you find a reliable way to 100% disable kde-connect, that would be awesome as it could be added back.

        override removed packages on these images can neither be added back nor resetted, an rpm-ostree bug/issue.

        Firefox from Fedora now supports using hardened_malloc instead of their jemalloc, so a custom image just adding back Firefox would already work.

        After rebasing my ublue kinoite to secureblue I found that Firefox no longer started, lol. Learned how to compile it myself and dug into mozconfigs, really interesting stuff (short: if you optimize too much you break their build for some reason). Now because of weird mercurial stuff it doesnt compile anymore at all, so I use Chromium which sucks a lot.

        Also had my system not boot twice, because of shitty Lenovo firmware and then because of the iwlwifi firmware bug.

        Aaaand more. At the beginning there was no flatpak support, then only with bubblewrap-suid which is controversial and podman is broken, luckily there are userns images now.

        The hack to use hardened_malloc on Flatpaks is also very nonstandard and electron apps do completely random things it seems (dont use electron, but its everywhere! Nextcloud, mullvadVPN, Signal, Element, …)

        • Throwaway1234@sh.itjust.works
          link
          fedilink
          arrow-up
          0
          ·
          8 months ago

          override removed packages on these images can neither be added back nor resetted, an rpm-ostree bug/issue.

          Isn’t that supposed to work with BlueBuild (or any custom image tooling)?

          so I use Chromium which sucks a lot.

          You’re strong! I’ve been weak and have (instead) resorted to Librewolf. Initially, I had chosen to stick to Chromium. But, at least for now, I have to use Thunderbird anyways. So, might as well continue the use of Librewolf in the mean time.

          Also had my system not boot twice, because of shitty Lenovo firmware and then because of the iwlwifi firmware bug.

          I’ve also experienced some issues recently with boot times taking a lot more time than previously. But I’ve since changed some kernel arguments and it has been better since.

          At the beginning there was no flatpak support, then only with bubblewrap-suid which is controversial and podman is broken, luckily there are userns images now.

          This is indeed big; I wouldn’t have been able to make the switch without the userns images.

          The hack to use hardened_malloc on Flatpaks is also very nonstandard and electron apps do completely random things it seems (dont use electron, but its everywhere! Nextcloud, mullvadVPN, Signal, Element, …)

          Thank you for your continued contributions and efforts that go into ever-improving secureblue!

          • Pantherina@feddit.de
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            8 months ago

            Does Librewolf (RPM) work?

            I only know that Chromium browsers use userns or setuid namespaces to isolate tabs. This is not allowed by the flatpak seccomp filter (applied for all apps) which is why bubblejail is a thing. But bubblejail is veeeeery alpha, portals, theming, running random binaries etc all broken or difficult.

            Flatpak Chromium browsers use zypak instead, which will have a weaker seccomp filter than the tab sandbox in Chromium (because flatpak apps do more than browser tabs and there is only a single filter for them all).

            No idea about firefox, they just support the flatpak without any mention if the sandboxing is better, worse, unaffected etc.

            Librewolf builds firefox themselves, if they just add allow-replace-malloc or how its called in their mozconfig it works with hardened_malloc. And I think that is the easiest solution. If they dont add that it should probably not launch. Flatpak works for some reason, probably because somehow it doesnt use hardened_malloc.

            • different name
            • already privacy optimized (only problematic if you need a vanilla profile)

            Tbh I want to compile firefox and the kernel with -O4 as I have a x86_64-v4 CPU. They will not do that as people run old hardware.

            Thunderbird is the same, btw everything is built on the same codebase. My dream would be to build Firefox, Thunderbird and Torbrowser on COPR (or Github so the Fedora people dont kill me) with hardened configs.

            I’ve also experienced some issues recently with boot times taking a lot more time than previously.

            Longer than on vanilla fedora, or longer than before on secureblue? They distrust the hardware and generate random values as far as I understood, also use kernel lockdown mode. Those are important and increase boot times but not performance. Btw also if your CPU is affected by spectre/meltdown attacks it will automatically disable hyperthreading. Very cool karg that should totally be the default.

            Yeah secureblue is nice and very needed. Wanted to do something similar (as did a lot of other people) and found qoijjjs awesome ground work. He invests hours in that project, look at the “secureblue Chromium vs Vanadium” table its crazy.

            • Throwaway1234@sh.itjust.works
              link
              fedilink
              arrow-up
              0
              ·
              8 months ago

              Does Librewolf (RPM) work?

              Have not tested it. I rely on the flatpak.

              I only know that Chromium browsers use userns or setuid namespaces to isolate tabs. This is not allowed by the flatpak seccomp filter (applied for all apps) which is why bubblejail is a thing. But bubblejail is veeeeery alpha, portals, theming, running random binaries etc all broken or difficult.

              Isn’t bubblejail mostly a frontend to bubblewrap? Therefore, is it perhaps possible that, if well-understood, reliance on bubblewrap instead should translate to a less buggy (but indeed harder) experience?

              Flatpak Chromium browsers use zypak instead, which will have a weaker seccomp filter than the tab sandbox in Chromium (because flatpak apps do more than browser tabs and there is only a single filter for them all).

              I’ve often heard that the flatpak Chromium browsers are (somehow) less secure, but never heard why that’s the case. Thank you for offering a very concise explanation on the matter!

              My dream would be to build Firefox, Thunderbird and Torbrowser on COPR (or Github so the Fedora people dont kill me) with hardened configs.

              WOW, that would be awesome! You’ve already found yourself a ‘client’/‘customer’ :P . And I’m sure that a lot of others would be interested as well.

              Longer than on vanilla fedora, or longer than before on secureblue?

              Yes. To be clear, it’s both longer than on vanilla Fedora Atomic and also longer than before on secureblue.

              as did a lot of other people

              Reminds me of this project, I wanted to wait until it stabilized…, but it never got that far 😅. But I hope its maintainer will join team secureblue, if they haven’t yet*.

              He invests hours in that project, look at the “secureblue Chromium vs Vanadium” table its crazy.

              For reference; WOW, we definitely can’t deny their commitment. I feel indebted. Perhaps I should support them 😅. Do you happen to know if there are any other channels besides Github to support them (and the project)?

              • Pantherina@feddit.de
                link
                fedilink
                arrow-up
                0
                ·
                edit-2
                8 months ago

                Bubblejail allows to create different seccomp filters per app. This means you can allow the browsers to create namespaces, which fixes that problem. There are tons of problems though.

                Yup needed some time to understand that zypak thing too. I think it boils down to that issue, they will be okay but less secure than possible, so… why not use something else?

                Yeah there are a ton of hardening arguments. Currently I cant build that damn stuff anymore because somehow I have missing build deps that I have installed and added to my path 100%.

                In this repo I collect my mozconfig, and if everything goes well I will use github builder to make RPMs. That would be lit, because I would have all of them hardened, but for v3 and v4 optimized. Put in a directory, do some rpm repo magic and I have my own repo.

                Feel free to help me figure that stuff out. Librewolf has a nice build pipeline, I created a PR to just support replacing the malloc, that would be the easiest and best solution.

                Then fedora firefox and librewolf would allow that, only flathub firefox missing really. Replacing the malloc is a very unsupported case for flatpak though, as the apps should be OS-unspecific.

                • Throwaway1234@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  edit-2
                  8 months ago

                  Librewolf has a nice build pipeline, I created a PR to just support replacing the malloc, that would be the easiest and best solution.

                  That’s very neat! Hopefully it comes through!

                  Then fedora firefox and librewolf would allow that, only flathub firefox missing really. Replacing the malloc is a very unsupported case for flatpak though, as the apps should be OS-unspecific.

                  But even with the ability to replace malloc, isn’t Firefox still vastly inferior compared to Chromium if security is desired? Or are they actually operating in close proximity of each other in terms of security features?

                  • Pantherina@feddit.de
                    link
                    fedilink
                    arrow-up
                    0
                    ·
                    8 months ago

                    Arguable. Chromium is just horrible to use. No sync, that would require something NOT Brave or Vivaldi to step up. Floccus is overcomplicated, xbrowsersync unmaintained.

                    Firefox had core components rewritten in rust too.

                • Throwaway1234@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  0
                  ·
                  8 months ago

                  Feel free to help me figure that stuff out.

                  Other commitments are too much right now. But thanks for the offer!

                  Librewolf has a nice build pipeline, there is a

                  Feels like you fell asleep while you were writing this and didn’t bother to finish it later on hahaha (or simply forgot).