secureblue absolutely does.
Qubes OS does too. But that’s becomes dom0 and most of the qubes you’d interact with are just Linux. But the qube can be based on BSD instead. Heck, you could have it based on Windows even. These qubes are VMs; so you can basically do whatever you want with them. The heavy use of virtualization is exactly what makes Qubes OS as secure as it is.
Not the one you asked, but please allow me give my take on the matter.
Do you know if you can still do everything with it? Like atomic already has its own limitations and quirks. I can imagine there are bigger limitations with this.
Being derived from Fedora Atomic, already comes with its own set of limitations; like being limited in which kernel mods you can make use of (without reinventing the wheel), or how UKI is unsupported or how you should probably create your own image if you want to populate /usr. You can’t even install software from any repository; e.g. installing the ProtonVPN RPM has been hit or miss for me.
And, on top of this, secureblue’s hardening does (strictly) limit this even further. Most impactful, so far, would be the inability to use sudo or anything like it. Instead, run0 is suggested. I’m 100% sure that run0 is better. However, I’ve had at least 1 occasion on which the software doesn’t know how to properly interact in this setting. Ultimately, I’d have to give the blame on the software that doesn’t properly support run0. And, perhaps, you could help address the issue by opening a bug report related to it. But it’s definitely something to keep in mind.
Finally, note on first setup you’re walked through the many different additional hardening that can be reverted based on your needs. Just be aware of that fact.
Like can you install driver-level stuff like tablet drivers
Maybe. Depends on what exactly it is.
GPU/CPU control
I have.
udev rules
Shouldn’t be a problem either.
etc… I guess I don’t really know the implications of the extra hardening.
If you’re interested, I suppose the best course of action would be to find a secondary device of yours and setup it to your heart’s content with secureblue. Whenever you face a roadblock, consider paying a visit to their discord server for support; they’ve been a great help so far. If, at some point, you find something you absolutely can’t do, then you’d have to make up your mind on what you deem more important. Wish ya the best of luck!
To add onto what N.E.P.T.R said, it is technically possible to make a custom amalgamation of Bazzite with secureblue’s hardening. However, it would be neither here or there. Some discussion of it can be found here. IIRC, it was ultimately deemed counter-intuitive as a gaming-distro inherently conflicts with a hardened one.
Finally, we shouldn’t disregard the technical part of this; it’s IIRC one of the reasons why the Bluefin-variants of secureblue were eventually disbanded. It frequently had a lot of interesting bugs that were simply not present on other secureblue-images. This isn’t on Bluefin either, as the non-hardened edition worked as you’d expect.
I believe your confusion comes from the following line: “secureblue does not claim to be the most secure option available on the desktop.”
Which is simply their acknowledgement that more secure options like Qubes OS exist. Note, however, that Qubes OS is not based on Linux, but instead on Xen.
Thank you for chiming in and providing your thoughts!
While we’re at it, I absolutely appreciate your work. Wonderful stuff! Thank you from the bottom of my heart!
UKI is something we very much want to do in the future, but it’s a long-term goal
That’s lovely to hear!
As far as replacing the init system, I think even in traditional Fedora that would be extremely challenging, but it could probably be done as a custom image.
Aight. I’ll change the list then. Thank you for enlightening me on this. The feasibility as a custom image is really encouraging; perhaps I’ll give it a go 😜.
Bazzite seemed much closer to being truely immutable
If you meant that it’s even harder to tinker/change/configure etc compared to SteamOS, then I’d like to inform you that this is false. Fedora Atomic, and thus Bazzite, facilitates quite a lot actually. Of course, it’s not as moldable as say Arch or Gentoo. To illustrate this, I won’t bother you with all the things it can do. Because that would take a while. Instead, I’ll only focus on the things it actually can not do. On the top of my head, the following comes to mind:
Intially looked at Bazzite, which seemed great other than I wasn’t a fan of it immutability, I’ve had to remove the read-only property from my steam deck a few times.
Fwiw, Bazzite handles its ‘immutability’ vastly different.
enabling a lot of the privacy features like resist fingerprinting often breaks login flows
True. Though, in this case, it’s only enabled on hardened. So, the default config doesn’t enable it.
and breaks dark mode detection on site
Yeah, that’s really unfortunate. I suppose there’s Dark Reader. But, I believe Arkenfox’ maintainers held the opinion that a bandaid solution as such did more harm then worth it. At least for those that enable RFP for the sake of fingerprint protection.
Thanks for sharing.
Thanks for the appreciation!
Our goal is to continue the legacy of Mull by providing a free and open source, privacy and security-oriented web browser for daily use.
Do you work on IronFox?
Yeah, it seems that they even acknowledge that Tor and Mullvad are better for extreme threat models.
"The only browsers that can provide sophisticated fingerprinting protection against advanced scripts are Tor Browser & Mullvad Browser.
If you have an extreme threat model (Ex. Political dissident, journalist, or if you are in some other kind of high risk situation), please use one of those browsers."
I suppose we’d have to commend them for being fair.
Going from Linux Mint to Qubes OS could be rough. You’re warned ;) .