this post was submitted on 04 Jan 2025
36 points (92.9% liked)

Linux

49069 readers
369 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
36
Does anybody in this sub using Fedora Secureblue? (discuss.tchncs.de)
submitted 2 weeks ago by chemicalwonka@discuss.tchncs.de to c/linux@lemmy.ml
29 comments fedilink hide all child comments
 

What is your opinion?

all 30 comments
sorted by: hot top controversial new old
[–] Guenther_Amanita@slrpnk.net 20 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

I thought about rebasing from other uBlue-variants to it, but quickly disregarded the option for me.

Often, and in this case too, it's often a spectrum of compromises between convenience vs. security.

I personally, as a casual user, feel absolutely safe enough already with Fedora Atomic. It just works without any hassles, and with the stuff that comes with it (SELinux, containers, immutable base, etc.) I think I am mostly safe.

Secureblue on the other hand is pretty locked down, and as someone who isn't a professional Linuxer (™), I think fixing stuff is too hard (or annoying) for me, e.g. if KDE Connect can't find devices, because of some hardened network connection stuff or whatever. I just wanna watch YouTube and play some games, not having 30 tabs open because basic things don't work as I want.

I just want something that works ootb without any issues, and Secureblue just isn't it for me. I prefer Bluefin and Bazzite because of that.

Also, I've heard about the dev(s) and community being a bit toxic, or at least not being a pleasure to collaborate with. But I can't verify that.

[–] PullPantsUnsworn@lemmy.ml 14 points 2 weeks ago

This is why I like GrapheneOS on phone. It is hardened and secure, but never gets in the way of your work. Everything works as it should. Kicksecure is the closest on the desktop space, though Fedora is also reasonably secure.

[–] jamesbunagna@discuss.online 2 points 2 weeks ago

Also, I’ve heard about the dev(s) and community being a bit toxic, or at least not being a pleasure to collaborate with. But I can’t verify that.

FWIW, this hasn't been my own experience. If anything, it may give of some "know-better"-vibes like one might recognize from engaging with some of GrapheneOS' community members.

[–] jamesbunagna@discuss.online 13 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Does anybody in this sub using Fedora Secureblue?

I do. And have done so for almost a year now.

What is your opinion?

It's pretty neat. Though, don't expect to roll your way in without any troubles if you don't take the effort to read its documentation. Fedora Atomic already does things its own way. However, secureblue, by virtue of its superior security standard, adds its own set of 'rules' that one should abide. Personally, I absolutely love how this is enforced. But I can understand why it might be a bit overwhelming for those new on the block. But I have personally helped introduce relative newbs to secureblue and they managed (with some help). So you should be fine; their community on Discord also has been pretty helpful in my experience.

So, if your first priority for your desktop operating system is for it to be Linux-based and your second priority is that it's properly hardened, then you simply can't go wrong with secureblue.

I was about to write a long piece comparing different security-focused systems, but I retracted for the sake of brevity. Please feel free to ask a specific comparison if you will.

[–] wisha@lemmy.ml 3 points 2 weeks ago (2 children)

Looking at their features list...

  • Do you use GNOME? They disable GNOME extensions. Did you turn it back on?
  • Did you re-enable XWayland?
  • Do you use bubblejail?
[–] Neptr@lemmy.blahaj.zone 3 points 2 weeks ago (1 children)

I also experience with Secureblue, so here are my answers:

  • I used GNOME because it is the only DE that protects the screen copy API. I used GNOME extensions because native methods of customizing UI/UX are very limited.
  • I personally re-enabl Xwayland because many apps (eg Steam) still use/require XOrg.
  • Yes I recommend use and recommend Bubblejail as a simple way of sandboxing some apps. Not a "super tight" but much better than unsandboxed. FYI, AppImages don't work with Bubblejail, or Secureblue (cus they remove the unmaintained FUSE dependency).
[–] chemicalwonka@discuss.tchncs.de 1 points 1 week ago (2 children)

I can't use toolbox on my secureblue, it shows a message showing that it can't find podman version IDK what to do

[–] jamesbunagna@discuss.online 3 points 1 week ago (1 children)

Under the USERNS caption of the FAQ , there's a link to another entry. In there, you may find the following command: ujust toggle-container-domain-userns-creation. After invoking this, distrobox should at least start working.

[–] chemicalwonka@discuss.tchncs.de 2 points 1 week ago (1 children)

1000042775

[–] jamesbunagna@discuss.online 2 points 1 week ago

Try invoking ujust distrobox-assemble first. This command is also found on the FAQ page. Enter the container created through this method.

[–] Neptr@lemmy.blahaj.zone 1 points 1 week ago (2 children)

Are you on the userns image? Because podman/docker/toolbox/distrobox all require unprivileged user namespaces.

[–] jamesbunagna@discuss.online 1 points 1 week ago

FYI, the userns images have been (or are about to be) deprecated.

[–] chemicalwonka@discuss.tchncs.de 1 points 1 week ago

I just upgraded my Silverblue and tried to user toolbox and it didn't work. I'm testing on a kvm before install on my pc

[–] jamesbunagna@discuss.online 2 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Do you use GNOME?

Yes, I do! I personally prefer GNOME over other DEs anyways, so I'm absolutely fine with that.

They disable GNOME extensions. Did you turn it back on?

They disable the installation of GNOME extensions by users. But, system-wide GNOME extensions are enabled by default. So, GNOME extensions that are found in Fedora's repositories can be installed right out of the box. Thankfully, all my extension needs are taken care of within the extensions found in Fedora's repositories. So, this doesn't constitute a limitation for me. Curiously, I've actually installed extensions through this method ever since I recognized how the other way wasn't remotely as secure. So this (relatively recent) change by secureblue to enforce it upon everyone (at least by default) came as a pleasant surprise.

Did you re-enable XWayland?

Nope. I initially had troubles with playing games through Wine. But I've learned how to use gamescope for that instead. Currently, I'm honestly unaware of anything I'd need XWayland for. Wayland development has definitely come a long way. And while I'm sure some systems and/or workflows don't play nice with it yet, for myself (pure) Wayland is all I need.

Do you use bubblejail?

Currently, I don't think I've got any use for it:

  • The only layered packages are the aforementioned GNOME extensions. I'm unaware if bubblejail can be used to sandbox these. But I'll look into it. Thanks for bringing this up!
  • My GUI apps are taken care of by Flatpak. Which, AFAIK, utilizes bubblewrap already for its sandboxing.
  • My CLI apps are taken care of by Linuxbrew. Perhaps these can be sandboxed using bubblejail, but I wouldn't even know. Thanks for reminding me of this (potential) blindspot!
[–] warmaster@lemmy.world 1 points 1 week ago* (last edited 1 week ago) (1 children)

Do you run Steam inside gamescope as well ? Their desktop app runs on xwayland, right ?

RE: CLI apps, I use brew on Bazzite, casks aren't supported on it. Does your setup support casks ?

[–] jamesbunagna@discuss.online 1 points 1 week ago* (last edited 1 week ago)

Do you run Steam inside gamescope as well ?

Nope I don't. But that's because running Steam isn't really a thing for me to begin with. I don't own my games through Steam aside from a couple that are only accessible through it. Whenever I need to play those, I access those through another system; be it another distro or (God forbid) M$. For the games I've played on secureblue, none of them were owned through Steam. Hence, running Steam inside gamescope has not been something I had to do yet. Unsure, if it even works as supposed.

Does your setup support casks ?

I actually don't know. It probably doesn't, though. EDIT: Found the following within Bluefin's documentation: "Note that the cask functionality in homebrew is MacOS specific and non functional in Bluefin, flatpak is used instead."

[–] biribiri11@lemmy.ml 3 points 1 week ago (2 children)

I think it’s worth giving the ycombinator post a read.

[–] warmaster@lemmy.world 3 points 1 week ago (1 children)

Holy shit. They tear it completely apart in one post. I guess I don't need to try it.

[–] jamesbunagna@discuss.online 4 points 1 week ago (1 children)

I was hoping that this reply wasn't needed 😅. In all fairness, some of the replies found on ycombinator definitely offer legitimate criticism. However, secureblue's dev team didn't just ignore all of that as they can be found discussing on the very same thread. Since then, they've actually implemented changes addressing these concerns. For example:

Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege. And flatpak is a lot of attack surface no matter how you run it, and the packages have a bad security reputation.

This was raised as a good objection to some of its design choices. This eventually lead secureblue's dev team to maintain twice as many images for the sake of offering images in which this was handled differently. And it didn't stop there, it has continued to output a lot of work addressing concerns both found on that thread and outside of it. Consider looking into its commit history. Heck, even some of the GrapheneOS-people have provided feedback on the project.

Of course, no one dares to claim it comes close to Qubes OS' security model. Nor is this within scope of the project. However, apart from that, I fail to name anything that's better. Kicksecure is cool, but they've deprecated Hardened Malloc; a security feature found on GrapheneOS and that has been heavily inspired by OpenBSD's malloc design. By contrast, secureblue hasn't abandoned it. Heck, it elevated its use by allowing it to be used with Flatpak; something that hasn't been done on any other distro yet. This is just one example in which the secureblue dev team and its various contributors have shown to be very competent when it comes to implementing changes that improve security beyond trivial checkboxes.

Peeps may name other hardening projects. But fact of the matter is that I'm unaware of another hardened Linux project that's quite as feature-rich:

  • Tails; cool project that does wonderful work against protecting one against forensics. But that's literally it. It's not even meant as a daily driver.
  • Whonix; developed somewhat together with Kicksecure, so this one actually has put in substantial work into hardening. But, again, not meant to be used as a daily driver.
  • Nix-mineral; cool project, but it's still alpha software by its own admission.
  • Spectrum OS; great idea, but it's not even out yet.

Please feel free to inform me if I've forgotten anything. So, basically, if you want a hardened daily driver for general computing, then one simply has to choose between Kicksecure and secureblue. I wish for both projects to flourish, but I've stuck with the latter for now.

[–] warmaster@lemmy.world 2 points 1 week ago (1 children)

Absolutely on point regarding alternatives. I tried Tails because I hate Windows on my work laptop, and it just sucks for anything you might want to do. Qubes is hard and inconvenient.

Do you think I could run secure blue from a USB drive?

[–] jamesbunagna@discuss.online 1 points 1 week ago

Do you think I could run secure blue from a USB drive?

I'm not sure if it's exactly the same, but Jorge Castro (one of uBlue's maintainers) showed how some uBlue projects (perhaps this also applies to secureblue) can be installed on an external drive. Perhaps it's worth a look: https://www.youtube.com/watch?v=5DRaYQ6hKU0

[–] Andromxda@lemmy.dbzer0.com 1 points 1 week ago

I don't think it is. The first comment (the one you're referring to I suppose) just doesn't make any sense. The commenter is throwing around random buzzwords trying to sound educated and asking incredibly stupid questions on purpose. It's not fair criticism of the project at all. The secureblue account also replied to this, clarifying the misinformation from the first comment.

[–] chemicalwonka@discuss.tchncs.de 2 points 1 week ago (1 children)

Thanks for sharing your opinions guys :)

[–] jamesbunagna@discuss.online 2 points 1 week ago (1 children)

Yo OP, did it work out in the end?

[–] chemicalwonka@discuss.tchncs.de 2 points 1 week ago (1 children)

I'm facing some problems but I'm using Secureblue as a host for my virtual machines

[–] jamesbunagna@discuss.online 2 points 1 week ago (1 children)

I hope at least the earlier problems with distrobox have been solved.

Is your intention to go in the direction of Qubes OS with extra steps?

[–] chemicalwonka@discuss.tchncs.de 2 points 1 week ago (2 children)

I've thought about it but I use VPN all the time, I don't know if I could use QubesOS with the VPN, I have no intention of using Tor

[–] jamesbunagna@discuss.online 2 points 1 week ago

Unfortunately, I've yet to experience Qubes OS myself. So I can't help you with that. Wish ya the best of luck though!