IIRC, it stops working whenever you disable JavaScript.

I think we’ve probably already spoken on the matter.

That’s definitely possible. Unfortunately, I don’t recall it 😅.

Indeed, Lemmy has a serious dearth of users interested and using secure distros over the averages.

It’s definitely better at this than the platform that starts with an “R” and rhymes with “shit”.

Thanks for your efforts; I do not know how to follow users on Lemmy but if I did I’d follow you. Do you have a blog/any other forum you’re more active on?

That’s such a compliment. This is definitely one of the nicest things I’ve read on Lemmy. I really appreciate it.

Unfortunately, I’m only somewhat active on Lemmy. FWIW, consider checking out the following places if you haven’t yet:

• dataswamp.org/~solene
• privsec.dev
• tech.michaelaltfield.net/

And, of course, Qubes OS’ forums.

Personally, I find it difficult to justify the time to learn Secureblue (especially the immutable part) or NixOS on Qubes because custom DispVMs with curated salt states work so well already. I’m interested in use-cases that will improve my security but I haven’t found any dialogue on this yet. If you do have opinions on this and know where I can look, I would greatly appreciate it!

As I’ve previously alluded to, I don’t have any hands-on experience with Qubes OS yet. So, I don’t think I can contribute meaningfully in this discussion. However, IIRC, there are some discussions found on the forums/discussions page for Qubes OS.

Aight. I’m glad to hear that that has been resolved. I’d love to hear about your experiences on secureblue, so consider to report back. Finally, note that as a hardened distro, some things might work differently from what you’d expect. So be prepared to relearn a thing or two 😉.

Currently I got no time to go over this in more length. So apologies*. However, I still want to offer/provide a brief and concise answer. I will (hopefully tomorrow) return at this in more length.

Now i already setup my container & install some packages in it but the shortcut is missing from application launcher (a.k.a start menu), how i can link the shortcut from package inside toolbox to host application launcher ?

Short answer is that Toolbx for a long time (and perhaps still) didn’t really support this feature. Sure, you could make it work, but it was a bit hacky. If this is a concern of yours, consider switching over to Distrobox. With distrobox, it’s as easy as (while inside the container) distrobox-export --app <name app>. I will return at this tomorrow with the Toolbx way to do the same. I will also explore how Distrobox fares compared to Toolbx etc.

If i made a file (ex text file) from inside container will it show in Home directory ?

Yes if you’ve saved it in the Home directory to begin with.

If something crashed inside container will it also crashed my host system ?

Nope.

Why some packages doesn’t work inside container like Wine, Lutris, or Bottles ?

Interesting. I don’t recall ever experiencing problems with either Wine or Lutris inside a Toolbx/Distrobox container. I’m also confident that Bottles should work.

Does it’s need special dependencies to make it work ?

This is definitely something that might be at play. Consider reporting the terminal output whenever you try to work with Wine, Lutris and Bottles.

Furthermore, expect some containerized solutions tomorrow for these 😉.

Can packages that modifying system (ex green tunnel, vmware, or QEMU, & hblock ) work fine ?

I’m not familiar with all of them. Though, you may expect troubles. I do recall I had to resort to rpm-ostree in order to make QEMU work. However, it’s a fast moving space, so I wouldn’t be surprised if Toolbx/Distrobox-based solutions exist for this. For example, since relatively recently, it has been possible to have a functioning Waydroid within Distrobox. I will also more exhaustively go over this matter tomorrow.

Whonix is an OS exclusively meant to be used within a VM; at least, until Whonix-Host is released. Therefore, I didn’t include it as it’s not actually competing within the same space; as it can be run on any of the aforementioned systems within a VM. Finally, it’s worth noting that by its own documentation, it’s desirable to do so with Qubes OS.

Please allow me to link to an earlier comment of mine that goes over this in more length. You may also find it copied-and-pasted down below:

First of all, apologies for delaying this answer.

Disclaimer:

• I’m not an expert. While I try to verify information and only accept it accordingly, I’m still human. Thus, some falsehoods may have slipped through, my memory may have failed me, and/or what’s found below could be based on outdated data.
• Additionally, I should note that I’m a huge nerd when it comes to ‘immutable’ distros. As a result, I’m very much biased towards secureblue, even if Kicksecure were to address all of their ‘issues’.
• Furthermore, for the sake of brevity, I’ve chosen to stick closely to the OOTB experience. At times, I may have diverged with Qubes OS, but Qubes OS is so far ahead of the others that it’s in a league of its own.
• Finally, it’s important to mention that -ultimately- these three systems are Linux’ finest when it comes to security. In a sense, they’re all winners, each with its use cases based on hardware specifications, threat models, and priorities. However, if forced to rank them, I would order them as:

Qubes OS >> secureblue >~ Kicksecure

Context: Answering this question puts me in a genuinely conflicted position 😅. I have immense respect for the Kicksecure project, its maintainers and/or developers. Their contributions have been invaluable, inspiring many others to pursue similar goals. Unsurprisingly, some of their work is also found in secureblue. So, to me, it feels unappreciative and/or ungrateful to criticize them beyond what I’ve already done. However, I will honor your request for the sake of providing a comprehensive and balanced perspective on the project’s current state and potential areas for improvement.

Considerations: It’s important to approach this critique with nuance. Kicksecure has been around for over a decade, and their initial decisions likely made the most sense when they started. However, the Linux ecosystem has changed dramatically over the last few years, causing some of their choices to age less gracefully. Unfortunately, like most similar projects, there’s insufficient manpower to retroactively redo some of their earlier work. Consequently, many current decisions might be made for pragmatic rather than idealistic reasons. Note that the criticisms raised below lean more towards the idealistic side. If resources allowed, I wouldn’t be surprised if the team would love to address these issues. Finally, it’s worth noting that the project has sound justifications for their decisions. It’s simply not all black and white.

With that out of the way, here’s my additional criticism along with comparisons to Qubes OS and secureblue:

• Late adoption of beneficial security technologies: Being tied to Debian, while sensible in 2012, now presents a major handicap. Kicksecure is often late to adopt new technologies beneficial for security, such as PipeWire and Wayland. While well-tested products are preferred for security-sensitive systems, PulseAudio and X11 have significant exploits that are absent from PipeWire and Wayland by design. In this case, preferring the known threat over the unproven one is questionable.
  • Qubes OS: Its superior security model makes direct comparisons difficult. However, FWIW, Qubes OS defaults for its VMs to Debian and Fedora. The latter of which is known to push new technologies and adopt them first.
  • secureblue: Based on Fedora Atomic, therefore it also receives these new technologies first.
• Lack of progress towards a stateless^[1] system: Stateless systems improve security by reducing the attack surface and making the system more predictable and easier to verify. They minimize persistent changes, impeding malware’s ability to maintain a foothold and simplifying system recovery after potential compromises. While this is still relatively unexplored territory, NixOS’s impermanence module is a prominent example.
  • Qubes OS: There’s a community-driven step-by-step guide for achieving this.
  • secureblue: Based on Fedora Atomic, which has prioritized combating state since its inception^[2]. Its immutable design inherently constrains state compared to traditional distros, with ongoing development promising further improvements.
• Deprecation of hardened_malloc: This security feature, found in GrapheneOS, was long championed by Kicksecure for Linux on desktop. However, they’ve recently chosen to deprecate it.
  • Qubes OS: Supports VMs with hardened_malloc enabled OOTB, for which Kicksecure used to be a great candidate.
  • secureblue: Continues to support hardened_malloc and has innovatively extended its use to flatpaks.

1. This paper provides a comprehensive (albeit slightly outdated) exposition on the matter. Note that it covers more than just this topic, so focus on the relevant parts.
2. Colin Walters, a key figure behind Fedora CoreOS and Fedora Atomic, has written an excellent blog post discussing ‘state’.

What are the main advantages of using this, that make it more secure?

More secure compared to your average distro? Or more secure compared to a specific set of distros? Unless, this is properly specified, this comment could become very unwieldy 😅.

Thanks in advance for specifying!

I daily drive secureblue; or, to be more precise, its bluefin-main-userns-hardened image.

“Why?”, you ask. Because security is my number one priority.

I dismiss other often mentioned hardened systems for the following reasons:

• Qubes OS; my laptop doesn’t satisfy its hardware requirements. Otherwise, this would have been my daily driver.
• Kicksecure; primary reason would be how it’s dependent on backports for security updates.
• Tails; while excellent for protection against forensics, its security model is far from impressive otherwise. It’s not really meant as a daily driver for general use anyways.
• Spectrum OS; heavily inspired by Qubes OS and NixOS, which is a big W. Unfortunately, it’s not ready yet.

Nix, the package manager, is distro-agnostic. Add Home Manager on top of it and you’re good to go; both packages and dotfiles are dealt with.

I could probably summarize your experience as “skill issue”.

I don’t understand the hype of immutables, or usability even.

I suppose this article/blogpost by Lennart Poettering should suffice. Though, this article/blogpost by Colin Walters is also cool.

I tried Bazzite today after Nobara nuked itself, and I couldn’t even paste my old Firefox profile since the actual folder apparently sits within the immutable folder structure.

This is simply false as pointed out by others already.

I didn’t even have time to reach the software limitations with how fast I tried the next distro.

You will have a very hard time on Linux with that mindset. And, to be honest, literally any OS you aren’t already familiar with.

Still hopping though, because apparently Fedora just nukes itself when you try to install codecs

I wouldn’t be surprised if you just searched this through your favorite search engine and settled with whatever random solution you came across instead of relying upon RPM Fusion’s documentation on the matter.

and I think I have about every major distro tested by now.

While this could be true, I wonder what prevented you from sticking with any one of them.

Linux is cursed.

It’s definitely a lot harder if you’ve got major skill issues.

Thanks for clarifying!

IMO immutable distros aren’t a best fit for a desktop computer. It can do so much more than gaming and turning it into a dedicated console is a step back if a normal linux distro can do just as well.

I would personally nuance this to: “Current iterations of ‘immutable distros’ that have evolved from traditional distros haven’t matured sufficiently yet to tackle 99.99% of the use cases ‘easily’.” The exact number on the percentage I don’t know. I believe most people that use their PCs as a glorified app launcher should be more than fine. But we start experiencing major difficulties the very moment that (a)kmods are involved; some of which are ‘supported’~ish, while others certainly aren’t.

But, I simply fail to see why a future iteration would not be able to solve related issues.

Those definitely amount to a major difference. Thanks for clarifying!

Thank you. This does give an idea.

It has been my pleasure.

Follow up question : Is Arch really that good?

Depends entirely on your needs. There is a use case for Arch. However, if you’re completely new to Linux, then it’s very likely that a ‘slower’-moving distro (like (anything based on) Debian (or Ubuntu)) might better suit you.

Wait for Ubuntu Core Desktop to come out.

It’s a steering wheel driver.

Could you perhaps be more precise? Is it a specific one? Or are there a multitude of steering wheel drivers that satisfy your needs?

And virtualbox.

Do you specifically need VirtualBox? Or would Qemu/KVM satisfy your needs?

IIRC VirtualBox requires kernel mods. Therefore, you would have to create your own images 😅 in which said kernel mod is included. FWIW, both uBlue’s templates and BlueBuild do a wonderful job at streamlining this process.

Or…, as alluded before, you don’t necessarily need VirtualBox. But, instead, Qemu/KVM perfectly satisfy your needs. Then, you can just run ujust setup-virtualization. After which you reboot, and you would be good to go.

What’s preventing you to install that single package through rpm-ostree?

Unsurprisingly, usage numbers for distros are hard to get due to lack of telemetry and what not.

However, some measurements do exist; like data from ProtonDB. These are used by Boiling Steam for their excellent reports in which some representation regarding usage across distros can be found. Their most recent report can be found here.

Note, however, that the following, as has been excellently touched upon by Boiling Steam, applies:

COMMON MISCONCEPTIONS

Since we hear some of the following comments EVERY SINGLE TIME, let’s address them here and now:

• “Duh, it’s not representative of Linux usage in general!”: And nowhere does it claim to be. As often as possible we make it clear this is Linux usage in a gaming context. The usage of Debian and Ubuntu on servers is safe for now, no need to panic.

They offer ovpn configs that I can just add to the Network Manager, but a part of me doesn’t want to give up!

Does running the .run script do substantially and functionally more than putting the ovpn configs in Network Manager?

I’ll be back the moment Wayland works better.

You mentioned in a comment that you used Arch, Debian and EndeavourOS. Though, historically, Wayland has been adopted first on Fedora. Therefore, I wonder if underutilizing Fedora (and/or derivatives like Bazzite/Nobara) might have been the main culprit in this case.

Been trying for days to install Private Internet Access’s client in a custom Bazzite image, but it’s slow-going to troubleshoot each failure to build, and I feel like I’m fighting GitHub more than the install script.

Have you contacted the Discord servers for Bazzite/uBlue and/or BlueBuild in hopes of resolving the issue?

They’re cool and very much willing to help out. They solved my issues a bunch of times with my own custom image. Perhaps, they are even capable of offering a solution to resolve the problem without requiring a custom image.

Wish ya good luck!