Throwaway1234

This looks awesome, but it only works for Fedora based distros, right?

Currently, it's indeed only for Fedora based distros. But there already have been efforts to make it work with Vanilla OS. And I assume that similar endeavors might occur if other image-based distros are provided. I wonder if such efforts are in the works for blendOS (an atomic distro based on Arch).

I want to make my own Arch ISO, all I found are very complicated stuff.

I don't know what your exact use case or intended usage of it will be. But, perhaps, penguins-eggs is what you're looking for.

Does Librewolf (RPM) work?

Have not tested it. I rely on the flatpak.

I only know that Chromium browsers use userns or setuid namespaces to isolate tabs. This is not allowed by the flatpak seccomp filter (applied for all apps) which is why bubblejail is a thing. But bubblejail is veeeeery alpha, portals, theming, running random binaries etc all broken or difficult.

Isn't bubblejail mostly a frontend to bubblewrap? Therefore, is it perhaps possible that, if well-understood, reliance on bubblewrap instead should translate to a less buggy (but indeed harder) experience?

Flatpak Chromium browsers use zypak instead, which will have a weaker seccomp filter than the tab sandbox in Chromium (because flatpak apps do more than browser tabs and there is only a single filter for them all).

I've often heard that the flatpak Chromium browsers are (somehow) less secure, but never heard why that's the case. Thank you for offering a very concise explanation on the matter!

My dream would be to build Firefox, Thunderbird and Torbrowser on COPR (or Github so the Fedora people dont kill me) with hardened configs.

WOW, that would be awesome! You've already found yourself a 'client'/'customer' :P . And I'm sure that a lot of others would be interested as well.

Longer than on vanilla fedora, or longer than before on secureblue?

Yes. To be clear, it's both longer than on vanilla Fedora Atomic and also longer than before on secureblue.

as did a lot of other people

Reminds me of this project, I wanted to wait until it stabilized..., but it never got that far 😅. But I hope its maintainer will join team secureblue, if they haven't yet*.

He invests hours in that project, look at the “secureblue Chromium vs Vanadium” table its crazy.

For reference; WOW, we definitely can't deny their commitment. I feel indebted. Perhaps I should support them 😅. Do you happen to know if there are any other channels besides Github to support them (and the project)?

My number one enemy (like most) is Google. I have been completely Google free for 1-2 years now (with the exception of YouTube on iOS, as the alternatives ultimately require a Mac to install, which I don’t have), but I haven’t used Google as a search engine in over 4 years. Besides trying to give as little information as possible

...

I also try to give as little information to other companies (Microsoft, etc.) as I can. Now, certain authorities have the permission to request data from companies, not just privacy disrespecting ones. That means that part of my threat model entails certain defenses against such agencies, to make it hard enough to correlate that data with my person. I don’t go overboard, in case anyone is worried. I’ve seen the bondage between paranoia and privacy, and I’ve set myself clear boundaries I won’t cross. So, my main goal is to protect against companies trying to collect my data (bleh, how cliche), but it doesn’t hurt to put in place some decent practices in case the world turns for the worst. I am protecting against attacks from the government towards low hanging fruit, but when it comes to large corporations, I don’t play nice.

Thank you for the elaborate clarification! But, perhaps I have to clarify as well; with "be protected from attacks targeted towards low(er) hanging fruit”, I actually meant any mass-surveillance, data collection and plain attacks from governments, corporations and adversaries that don't qualify as a (more sophisticated) targeted attack.

SecureBlue (Soon!)

Great pick! 🤣

ProtonVPN on all devices 24/7 except when using Tor (for speed)

I don't know the complete specifics of your threat model, but if you haven't yet, then perhaps it's worth reviewing what Privacy Guides has to say on this. Note, I don't necessarily view them as the de facto authority, but more often than not, their views hold more truth than falsehood.

or large downloads/torrents

Vaild reason to (momentarily) not use Tor, but please consider to review Proton VPN on port forwarding in hopes of alleviating the issue of speed without foregoing the VPN connection.

(may look into Mullvad VPN)

Unfortunately, at least for torrents, you're no longer able to rely on Mullvad VPN.

Firefox for streaming some videos that require a specific DNS configuration (Soon looking into how to put an extreme sandbox on it)

Easiest (and also one of the best options) is probably the use of a VM 😅.

ProtonMail + Anonaddy, use disposable emails for accounts that “don’t matter”

FWIW, since SimpleLogin has been acquired by Proton, there is merit in forsaking Anonaddy for SimpleLogin if decreasing the amount of trusted parties is desired. However, this comes at the cost at moving more into the the direction of putting all your eggs in one basket. So, ultimately, it's your choice to make.

Very, very strong and unique passwords + 2FA/FIDO for everything applicable

I hope an offline password manager is involved to some capacity. FWIW, if you're not doing it yet, you can always uniquely 'salt' every password.

Signal as my main messenger (to help bridge the gap for my friends) until GrapheneOS, then SimpleX (Please take a look at https://privacyspreadsheet.com/messaging-apps !)

I like that SimpleX is less platform-dependent. But it has been hard to let go of Briar. Do you happen to know how they currently fare against each other in security/privacy features (beyond what's found on the linked spreadsheet)? FWIW, IT security expert Mike Kuketz' review of SimpleX wasn't quite raving. Which is in clear contrast to his review on Briar. Of course, substantial time has passed since, but his 'non-approval' is something what's bothering me.

Bitwarden as my password manager until GrapheneOS, then KeePass

Ah, we've found the password manager, KeePass (be it DX/XC) is indeed excellent.

override removed packages on these images can neither be added back nor resetted, an rpm-ostree bug/issue.

Isn't that supposed to work with BlueBuild (or any custom image tooling)?

so I use Chromium which sucks a lot.

You're strong! I've been weak and have (instead) resorted to Librewolf. Initially, I had chosen to stick to Chromium. But, at least for now, I have to use Thunderbird anyways. So, might as well continue the use of Librewolf in the mean time.

Also had my system not boot twice, because of shitty Lenovo firmware and then because of the iwlwifi firmware bug.

I've also experienced some issues recently with boot times taking a lot more time than previously. But I've since changed some kernel arguments and it has been better since.

At the beginning there was no flatpak support, then only with bubblewrap-suid which is controversial and podman is broken, luckily there are userns images now.

This is indeed big; I wouldn't have been able to make the switch without the userns images.

The hack to use hardened_malloc on Flatpaks is also very nonstandard and electron apps do completely random things it seems (dont use electron, but its everywhere! Nextcloud, mullvadVPN, Signal, Element, …)

Thank you for your continued contributions and efforts that go into ever-improving secureblue!

Yeah, I saw that you had shared the https://blue-build.org/ website a few days prior. But, to me at least, the "Introducing BlueBuild" blogpost seemed more like proper announcement/introduction compared to the default website. And has only been published since 2024-02-25, so only after your post 😉.

Thank you for the write-up! I liked it overall. Perhaps consider to have like a day in-between proofread sessions. This might have alleviated some passages for which I currently hold some minor nitpicks. It's clear that you've written it with care, but -at least in my case- I notice that my proofreading skills (somehow) are a lot sharper the next day (or something).

VSCodium wouldn’t see that I’ve installed the languages I did, nor find my font (Geist Mono Nerd Font).

Assuming you had VSCodium installed as a Flatpak, perhaps the pointers found in this excellent blogpost could help out with that. FWIW, I succeeded with a similar endeavor without installing the IDE in the Toolbx/Distrobox.

I agree with the general sentiment. Thank you for mentioning that!

Though, the use of sudo nano might still pose a risk if any software found on the system is either vulnerable/exploitable, not trusted, or simply exploitative. In that case, like what's achieved through sandboxing i.e. not allow the software to go beyond their intended scope, it makes sense to put a limit on the capabilities of the software. And to that effect, the use of sudoedit still offers merit over sudo nano.

Though, if the user doesn't (already) rely on bubblejail, firejail, Flatpak etc for what they offer in sandboxing. And/or if said user simply doesn't care for the principle of least privilege, then the use of sudo nano is perfectly valid.

Thank you for your elaborate answers!

Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be “both”. I am willing to tackle and overcome, but I’m not ready to put in that work yet, if at all.

Qubes OS is definitely more involved than the average distro, so I can understand why you feel that way.

I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the “strictest threat model possible”) and work backwards to find out what I was willing to allow.

Hahaha 🤣, very relatable; I almost wanted to learn SELinux for hardening purposes. Thankfully, Qubes OS exists as my endgame, which deterred (most of) the motivation (and need) to comprehend SELinux in the first place.

I have a “subconscious” threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against “evil” corporations, and such, I must also protect myself against some low level government threats. My threat model “philosophy” is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.

We can work with that, though I kindly implore you to further work out your threat model. It will(/should) give you some peace of mind (or at least a security/privacy roadmap on which you can (slowly but steadily) work towards). If I would have to distill your philosophy, it would be something like "be protected from attacks targeted towards low(er) hanging fruit". Would that be fair?

You are the third person to recommend SecureBlue (I’ve been keeping track), and since it is a “Fedora Atomic spin” (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is.

Great choice! FWIW, I've also been on it for a couple of weeks now and I've really been enjoying it. Before, I had my own custom image that was built using the (legacy-)template from uBlue. I tried to harden it myself 😅, and I would argue I did and achieved some cool stuff with it. But, it's very clear that my technical knowledge doesn't even come close to that of secureblue's maintainers. I just wish I had rebased earlier 😅.

By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS

I definitely agree with that sentiment. Btw, FWIW, I know for a fact that at least one individual that's associated with GrapheneOS has 'contributed' to secureblue.

I wish there was a true “Linux alternative to GrapheneOS”.

Hehe, without going into what that actually means and would entail, I agree 😜.

So I would like to ask a couple of questions:

Qubes OS (Tried it twice, not ready yet)

Is Qubes OS not ready yet for your intended workflow/usage? Or are you not ready to make the complete switch (yet)?

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use.

Unfortunately, in almost all cases, increased security/privacy is achieved through the loss of convenience. Therefore, you should ask yourself what the minimum level of security/privacy is that you absolutely require/need. How's your threat model defined (if at all)?

My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

I agree that there's still a long road ahead until we have on Linux whatever is found on GrapheneOS or Qubes OS. I'm aware that you can technically utilize VMs on any distro, but the experience will not be as streamlined (nor as secure) as you may find on Qubes OS. But, Flatpak does offer some sandboxing. And while it may not be as powerful as you may want, and some apps may not utilize portals as they should. Still, it's definitely worthwhile and perhaps the best we've got currently. Furthermore, bubblejail allows you to (relatively easily) utilize (some of) the technology that's used to sandbox Flatpak apps for all your non-Flatpak apps. It can be found on Copr if you choose to stick to Fedora.

On that note, the maintainers of the aforementioned Copr package have built an interesting project for those that seek security-focused (or simply hardened) images of Fedora Atomic; (aptly named) secureblue. It's still a relatively young project, but their innovations have definitely been noteworthy and it seems to have a bright future ahead.

While we're in the vicinity of 'hardened-for-you'-distros, we should mention Kicksecure. By contrast, this is a well-established distro by the people that also develop Whonix.

Without hearing your answers to my questions, I think these two are the primary candidates. Though sticking to Fedora ain't a bad choice either.

so I run sudo nano /etc/default/grub

For improved security during file edits that require root access, it's highly advised to use sudoedit (or sudo -e). This method is considered the standard practice to avoid the security pitfalls associated with directly invoking editors with sudo. To ensure the use of nano with sudoedit, simply set the VISUAL environment variable with export VISUAL=nano before running sudoedit . Alternatively, for a one-off command: VISUAL=nano sudoedit /path/to/file.

Please note that while sudoedit is a safer starting point, it's not the only method available. Alternatives such as doas, doasedit, or leveraging polkit with pkexec can offer even more controlled and secure ways to manage file editing with elevated privileges. However, it's perfectly acceptable to stick with sudoedit, as it's a commonly trusted tool.

Be aware that direct usage of sudo nano or other editors is strongly discouraged. It bypasses important security mechanisms and can lead to inadvertent system-wide risks.

EDIT: changed VISUAL=nano sudoedit to VISUAL=nano sudoedit /path/to/file.

Yeah, I wouldn't abandon a perfectly working system for one that straight up dies for nothing.

Maybe, if you've got some spare space on your system, consider dual-booting it. If the issues persist, then Kubuntu 24.04 LTS sounds good as a replacement.

Thank you for reporting back 😊!