Linux

48878 readers

1232 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

Does anybody in this sub using Fedora Secureblue? (discuss.tchncs.de)

submitted 4 days ago by chemicalwonka@discuss.tchncs.de to c/linux@lemmy.ml

26 comments fedilink hide all child comments

What is your opinion?

you are viewing a single comment's thread
view the rest of the comments

[–] biribiri11@lemmy.ml 4 points 2 days ago (1 children)

I think it’s worth giving the ycombinator post a read.

[–] warmaster@lemmy.world 3 points 1 day ago (1 children)

Holy shit. They tear it completely apart in one post. I guess I don't need to try it.

[–] jamesbunagna@discuss.online 4 points 1 day ago

I was hoping that this reply wasn't needed 😅. In all fairness, some of the replies found on ycombinator definitely offer legitimate criticism. However, secureblue's dev team didn't just ignore all of that as they can be found discussing on the very same thread. Since then, they've actually implemented changes addressing these concerns. For example:

Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege. And flatpak is a lot of attack surface no matter how you run it, and the packages have a bad security reputation.

This was raised as a good objection to some of its design choices. This eventually lead secureblue's dev team to maintain twice as many images for the sake of offering images in which this was handled differently. And it didn't stop there, it has continued to output a lot of work addressing concerns both found on that thread and outside of it. Consider looking into its commit history. Heck, even some of the GrapheneOS-people have provided feedback on the project.

Of course, no one dares to claim it comes close to Qubes OS' security model. Nor is this within scope of the project. However, apart from that, I fail to name anything that's better. Kicksecure is cool, but they've deprecated Hardened Malloc; a security feature found on GrapheneOS and that has been heavily inspired by OpenBSD's malloc design. By contrast, secureblue hasn't abandoned it. Heck, it elevated its use by allowing it to be used with Flatpak; something that hasn't been done on any other distro yet. This is just one example in which the secureblue dev team and its various contributors have shown to be very competent when it comes to implementing changes that improve security beyond trivial checkboxes.

Peeps may name other hardening projects. But fact of the matter is that I'm unaware of another hardened Linux project that's quite as feature-rich:

Tails; cool project that does wonderful work against protecting one against forensics. But that's literally it. It's not even meant as a daily driver.
Whonix; developed somewhat together with Kicksecure, so this one actually has put in substantial work into hardening. But, again, not meant to be used as a daily driver.
Nix-mineral; cool project, but it's still alpha software by its own admission.
Spectrum OS; great idea, but it's not even out yet.

Please feel free to inform me if I've forgotten anything. So, basically, if you want a hardened daily driver for general computing, then one simply has to choose between Kicksecure and secureblue. I wish for both projects to flourish, but I've stuck with the latter for now.