Searching for a Linux distro
Searching for a Linux distro
cross-posted from: https://lemmy.ml/post/12400033 (Thank you https://lemmy.ml/u/Kory !)
I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:
Kali Linux (Use as a secondary)
Linux Mint (Used for a while)
Arch Linux (Could not install)
Tails (Use this often)
Qubes OS (Tried it twice, not ready yet)
Fedora (Current main)
For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.
Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I've been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!
UPDATE:
Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn't work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I'm not a fan of atomic distros I will be using that. To @[email protected], your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!
You could look into Atomic distros if you value sandboxing, such as Fedora Atomic or Vanilla OS. I don't know much about the debian space as Arch was my first distro so I kinda ran before I crawled.
Thank you! How are Atomic distros different from "regular" ones?
Pretty much that to be honest, so all of your apps are flatpaks. The base system is also kinda sandboxed, it's access is prohibited and instead you employ "layering".
I use Fedora Atomic on my desktop and laptop so I'll explain that one here. Atomic distros function off of Atomic transactions, which are a process form that can only successfully complete. If an Atomic transaction did fail, the entire transaction would be undone and reverted. This practically makes Atomic distros unbreakable. If an update fails, what update? Who said there was an update? No trace.
Obviously you can change the base system, as flatpak isn't suitable for all apps. This is where that layering comes in I mentioned earlier. I use XFCE-Terminal, obviously not a great candidate for a flatpak. So to install a package normally (as if through DNF) you need to use a packge manager that deals in Atomic. Fedora Atomic ships with their tool called rpm-ostree. I don't know quite how it works but I'm pretty sure it creates a branch of the current system (like Git) and installs the package there, then upon next boot you'll use the new branch and the old one discarded. Doing this means that if the package failed to install, your system is unchanged.
Atomic distros are super cool and I can't imagine not using one. They do so much that should've been done a loooong time ago. I highly recommend them. I have an unpublished blog post about my experience using Fedora Atomic that I'm more than happy to post here if you'd like.
No not sandboxing. They use something like Git or OS images for the OS updates. You could install only native packages and have a regular fedora setup but with full transparency. The normal workflow is "keep your system clean, install flafpaks for GUI stuff and do random software dev, build environments, compiling etc in a Toolbox/Distrobox using a Podman container underneath".
Its very easy to use and such a blessing. You NEVER need to reinstall a distro again
I was going to bring up Kinoite, but others already brought up Fedoras atomic flavours in general. And since you like Gnome, you'll want Silverblue, not Kinoite.
I would add that Endeavour makes setting arch up much, much easier, and it became my personal main after I ditched Manjaro.
I second both your recommendations. I JUST installed Bazzite, which is a tweaked Silverblue for gaming, yesterday. I can already tell atomic style distros are going to be the future.
I'll definitely see what the hype around Atomic distros is! Most likely, I'll be trying SecureBlue first. Thanks for your feedback!
So I would like to ask a couple of questions:
Qubes OS (Tried it twice, not ready yet)
Is Qubes OS not ready yet for your intended workflow/usage? Or are you not ready to make the complete switch (yet)?
For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use.
Unfortunately, in almost all cases, increased security/privacy is achieved through the loss of convenience. Therefore, you should ask yourself what the minimum level of security/privacy is that you absolutely require/need. How's your threat model defined (if at all)?
My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.
I agree that there's still a long road ahead until we have on Linux whatever is found on GrapheneOS or Qubes OS. I'm aware that you can technically utilize VMs on any distro, but the experience will not be as streamlined (nor as secure) as you may find on Qubes OS. But, Flatpak does offer some sandboxing. And while it may not be as powerful as you may want, and some apps may not utilize portals as they should. Still, it's definitely worthwhile and perhaps the best we've got currently. Furthermore, bubblejail allows you to (relatively easily) utilize (some of) the technology that's used to sandbox Flatpak apps for all your non-Flatpak apps. It can be found on Copr if you choose to stick to Fedora.
On that note, the maintainers of the aforementioned Copr package have built an interesting project for those that seek security-focused (or simply hardened) images of Fedora Atomic; (aptly named) secureblue. It's still a relatively young project, but their innovations have definitely been noteworthy and it seems to have a bright future ahead.
While we're in the vicinity of 'hardened-for-you'-distros, we should mention Kicksecure. By contrast, this is a well-established distro by the people that also develop Whonix.
Without hearing your answers to my questions, I think these two are the primary candidates. Though sticking to Fedora ain't a bad choice either.
Great questions! I'll try to answer as best I can.
Is Qubes OS not ready yet for your intended workflow/usage? Or are you not ready to make the complete switch (yet)?
Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be "both". I am willing to tackle and overcome, but I'm not ready to put in that work yet, if at all.
Unfortunately, in almost all cases, increased security/privacy is achieved through the loss of convenience. Therefore, you should ask yourself what the minimum level of security/privacy is that you absolutely require/need. How’s your threat model defined (if at all)?
I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the "strictest threat model possible") and work backwards to find out what I was willing to allow. I succeeded, but because I had gone too deep before I learned what a threat model was, I never made a clear threat model. I have a "subconscious" threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against "evil" corporations, and such, I must also protect myself against some low level government threats. My threat model "philosophy" is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.
You are the third person to recommend SecureBlue (I've been keeping track), and since it is a "Fedora Atomic spin" (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is. By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS for the rest of my life. I wish there was a true "Linux alternative to GrapheneOS".
Thank you for your elaborate answers!
Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be “both”. I am willing to tackle and overcome, but I’m not ready to put in that work yet, if at all.
Qubes OS is definitely more involved than the average distro, so I can understand why you feel that way.
I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the “strictest threat model possible”) and work backwards to find out what I was willing to allow.
Hahaha 🤣, very relatable; I almost wanted to learn SELinux for hardening purposes. Thankfully, Qubes OS exists as my endgame, which deterred (most of) the motivation (and need) to comprehend SELinux in the first place.
I have a “subconscious” threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against “evil” corporations, and such, I must also protect myself against some low level government threats. My threat model “philosophy” is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.
We can work with that, though I kindly implore you to further work out your threat model. It will(/should) give you some peace of mind (or at least a security/privacy roadmap on which you can (slowly but steadily) work towards). If I would have to distill your philosophy, it would be something like "be protected from attacks targeted towards low(er) hanging fruit". Would that be fair?
You are the third person to recommend SecureBlue (I’ve been keeping track), and since it is a “Fedora Atomic spin” (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is.
Great choice! FWIW, I've also been on it for a couple of weeks now and I've really been enjoying it. Before, I had my own custom image that was built using the (legacy-)template from uBlue. I tried to harden it myself 😅, and I would argue I did and achieved some cool stuff with it. But, it's very clear that my technical knowledge doesn't even come close to that of secureblue's maintainers. I just wish I had rebased earlier 😅.
By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS
I definitely agree with that sentiment. Btw, FWIW, I know for a fact that at least one individual that's associated with GrapheneOS has 'contributed' to secureblue.
I wish there was a true “Linux alternative to GrapheneOS”.
Hehe, without going into what that actually means and would entail, I agree 😜.
Since you have already used some distros, and aren't the "normal" case, I can't send you a link to my "Distros for noobs"-post I normally send to those questions.
I think you would benefit from image based distros, especially Fedora Atomic. Here's a link to my post explaining immutable distros: https://feddit.de/post/8234416
What comes to my mind in your case is Secureblue.
It's a Fedora Atomic spin that's focused on security and privacy, which has many hardening-tweaks applied, e.g. better sandboxing, memory allocator and an hardened kernel. It also offers Gnome as DE and still allows you to enjoy most freedoms other distros have.Definitely check that out!
I will, thank you so much!
Qubes and opensuse are great for any VM needs. Not sure what the issue with privacy is exactly you can pretty much reconfigure any distro to be oriented the way you want it.
Be aware that secureblue is very secure!
Some kernel arguments may break boot (already have in the past) because of weird firmware and fedora not testing their kernel with those kargs.
Strange things may happen with Electron apps (for me its fine) and you might miss Firefox lol.
Noted, thank you!
If you like the idea of Qubes OS and Tails, maybe Whonix has something similar to offer : https://www.whonix.org/wiki/Features
I've looked into Whonix in the past, as Qubes OS is one of the host operating systems for it. I plan to try Whonix when they release their own independent ISO that is under works right now. Thank you for your suggestion!
@Charger8232 TROMjaro is a trade-free Linux distro. Meaning you do not have to trade your data, attention, or currency in order to use it and its apps. meaning, no ads, no bs free trials, no data collection and all of that crap. We also have over 700 curated trade-free apps at www.tromjaro.com/apps/ that you can install directly from the website.
We have a trade-free VPN, and a content blocker in order to stop the ads and tracking system wide.
On top of this TROMjaro is super easy to use and easy to customize. Please see the homepage www.tromjaro.com
For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use.
First of all, most distros already offer adequate privacy. It'll always beat Windows or MacOS—that's for sure.
Second, ease of use and privacy don't go hand in hand. The more privacy you want the harder it gets to use. The reason I emphasised privacy is because it's more anonymity at that point.
What is it you want? If it's privacy you're after you can't go wrong with most distros and using FOSS. If it's anonimity be prepared to make a ton of sacrifices. Have fun putting your laptop in a Faraday bag, routing all your traffic through Tor, visiting eepsites, disconnecting your webcam and microphone, only wiring money with Monero, and so forth.
My point is, there is no best of both worlds.