So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.

My priorities are:

  1. Using Linux.
  2. Using Firefox.
  3. Security, within reason.
  4. Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).

My options are:

  1. Fedora Kinoite
  2. Fedora KDE with some hardening
  3. Secureblue

My needs are:

  • Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
  • Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
  • Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
  • Sound: Bluetooth headphones, Sound, Printing (Optional)

I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.

On Firefox:

  • I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
  • Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
  • In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
  • Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
  • I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).

Security goals:

  1. I want to make sure the software I install to not have access to anything it doesn’t need to.
  2. I want to make sure that any website I visit won’t be able to access my file system.
  3. I want to make sure that my browser extensions won’t be able to access my file system.
  4. I want to use a distro that’s somewhat resilient against supply chain attacks.
  5. Proximity to upstream for timely security patches.
  • MonkderVierte@lemmy.zip
    2·
    7 hours ago

    I’ve had a bad experience with Flatpak-first distros. Partly because i’ve run them from USB* and have slow internet here, running on a 2018er laptop, partly the duplicated/more complex tooling (especially Silverblue). And don’t even start trying to remove preinstalled apps or roll your own image. In short, customization and performance are severely limited.

    * Especially Bottles gets outright unusable as a Flatpak running from a USB SSD.

  • 4jVXAfSdzKnV@lemmy.ml
    2·
    8 hours ago

    You can try secureblue and if it does not fit your use cases try Fedora and tinker a bit with bubblejail and other hardening yourself, with that you will learn a lot which is even more valuable than just using a secure os. As far as I know Fedora uses SELinux already which is pretty good.

    If you depend on a secureos to protect your life/assets against threat actors like states or any other organisation with massive amount of people and or time/money then the answere will be very complicated and I would suggest talking with a professional consultant because the correct answere can very on many little factors. SecureBlue or QubesOS are fine, no PC and only GrapheneOS even better.

    If you depend on a secureos to protect your identity against threat actors like states… …the answere will be completly different since privacy and security can be complimentary goals. TailsOS is suitable in this case.

    • FoundFootFootage78@lemmy.mlOPEnglish
      1·
      8 hours ago

      Basically what I’ve learnt with this thread is the same thing anyone learns when asking which distro to pick, “it doesn’t matter, just pick one”.

  • N.E.P.T.R@lemmy.blahaj.zoneEnglish
    1·
    11 hours ago

    I recommend Secureblue.

    To install Firefox on Secureblue, run rpm-ostree install firefox To install Mullvad VPN, run ujust install-vpn, select Mullvad, wait for it to complete, and run rpm-ostree install mullvad-browser

    For browsers, you obviously are going to install Mullvad and Firefox, but no need to install a Blink-based browser because it comes with Trivalent (significantly security hardened Chromium). Since Trivalent only supports MV3 you will need uBl Lite and NoScript supports MV3.

    I recommend sandboxing your browsers (except Trivalent) using Bubblejail. For Mullvad/Firefox, create a Bubblejail instance using the config app, create a profile, give it access to Wayland, PulseAudio (sound), Pipewire (screenshare), and use slirp4netns, then run bubblejail generate-desktop-entry INSTANCE_NAME --desktop-entry /usr/share/applications/INSTANCE_NAME.desktop. I recommend adding access to ~/Downloads for the browsers.

    Consult the FAQ for more tips/tricks and security toggles. Also use the ujust command line utility to configure the system.

    • FoundFootFootage78@lemmy.mlOPEnglish
      1·
      11 hours ago

      I’m gonna have to try secureblue and only switch when I find something that doesn’t work. I’m not entirely sure that Firefox works at present.

      Trivalent doesn’t support extensions https://secureblue.dev/faq#trivalent-extensions but I only need those extensions on Firefox. My backup browser is mostly for sites that involve online purchases as it’s too much of a hassle with noscript.

      Other than that thank you for your advice.

      • N.E.P.T.R@lemmy.blahaj.zoneEnglish
        1·
        5 hours ago

        To use Firefox, you need to use ujust with-standard-malloc firefox (or something like that). It also needs user namespaces (same with Mullvad VPN/Browser), run ujust set-unconfined-userns on

        Follow these steps to make Firefox run with standard malloc:

        For Firefox with no sandboxing …

        • cp /usr/share/applications/firefox.desktop ~/.local/share/applications/firefox.desktop
        • Edit the newly created file so any line that starts with Exec=firefox to Exec=ujust with-standard-malloc firefox

        For Firefox with Bubblejail, assuming you have already created a profile named Firefox and generated the desktop entry. Edit the file ~/.local/share/bubblejail/instances/Firefox/services.toml and add the following snippet:

        [debug]
raw_bwrap_args = [
    "--ro-bind",
    "/dev/null",
    "/etc/ld.so.preload",
    ]
  • Grimm665@lemmy.dbzer0.comEnglish
    61·
    17 hours ago

    I’m not sure I’m qualified to answer, you seem to know your security needs but i’ll ask anyway: what are you securing against and why? You listed your security goals, but not exactly why you need them and what you are defending against. Fair enough, but without knowing more details, I’d suggest looking at QubesOS, which specifically isolates apps into different virtual machines. You could also go with security-by-minimality, and roll your own environment with Arch or Alpine (even Gentoo if you really wanna go down the rabbit hole)

    • FoundFootFootage78@lemmy.mlOPEnglish
      2·
      16 hours ago

      I’m after security against malware and websites to prevent my email or government services from being accessed maliciously, but I want to do so without over-relying on the obscurity of Linux and Firefox.

      In other words, I want to do my due diligence on security.

      • Grimm665@lemmy.dbzer0.comEnglish
        4·
        16 hours ago

        Malware in the traditional sense, as in a malicious program that sneaks its way onto your machine and runs a dangerous payload, is far far more common on Linux machines with open ports acting as servers on the internet. And even then, I’d wager that’s less than 1% of the malware out there that specifically targets Windows simply due to market share. With that in mind, plain old Fedora will do just fine, especially if you leave SELinux enabled; many tutorials have you disable it if it interferes with apps/services you want to run, but they’re simply being lazy, working around SELinux can be obscure at times, but it’s still worth doing, and keeping it running rather than disabling it.

        Malicious webpages and phishing attempts are more likely to cause you trouble on Linux, and the OS can only do so much to protect you there. Securing against those is more about vigilance and wisdom, which it sounds like you’ve got covered honestly!

        • FoundFootFootage78@lemmy.mlOPEnglish
          2·
          16 hours ago

          In terms of phishing I am very prepared. In terms of malicious webpages not really. Noscript probably helps but I click on basically any link with no regard for safety, and if it doesn’t work I normally give it any javascript permissions it asks for (except wasm, unrestricted css, LAN, and other). Plus there’s the added risk of browser extension supply chain attacks that I’ve been getting increasingly paranoid about.

          I think you’re right about software. If I use SELinux, and especially if I use a hardened profile on it, then I should be reasonably secure. If I uninstall sudo and switch to run0 (which I prefer using anyway) then malware probably wouldn’t be able to do much of anything if it escapes the sandbox. I’ve heard everywhere that Fedora and OpenSUSE are relatively good on security so I have every reason to trust your assessment.

          • moonpiedumplings@programming.devEnglish
            1·
            14 hours ago

            If I uninstall sudo and switch to run0 (

            Sudo and run0 are both problematic. Sudo is a setuid binary, which is problematic, but run0 is not much better. It works by making calls to systemd/polkit/dbus, services that constantly run as root, and they themselves expose a massive attack surface. Many privilege escalation CVE’s similar to sudo have been released that exploit that attack surface.

            When it comes to actually being secure, systemd somewhat screws you over, due to having a massive attack surface, a way to run things as root, and the interesting decision to have polkit parse and run javascript in order to handle authorization logic (parsing is a nightmare to do securely).

            The other thing, is that the browser sandbox is much, much stronger than the separation of privileges between users in Linux. Browser sandbox escapes (because they work the same on windows or Linux) are worth immense amounts of cash, and are the kinds of exploits that are used in targeted manners against people who have information on their computer worth that much. If you don’t have information worth millions of dollars on your computer, you shouldn’t worry about browser sandbox escape exploits.

            The reality is that any attacker who is willing and able to pierce through a browser sandbox, will probably also have a Linux privilege escalation vulnerability on hand. In my opinion, trying to add more layers to security is pointless unless you are adding stronger layers. If your attacker has a stronger “spear”, it doesn’t matter how many weak “shields” you try to put in front to stop it.

            If the million dollar industry of browser escapes is in your threat model, I recommend checking out the way that Openbsd’s sandboxing interacts with chromium. Or check out google’s gvisor sandbox and see if you can run a browser in there.

            • FoundFootFootage78@lemmy.mlOPEnglish
              1·
              13 hours ago

              The idea of disabling sudo was that malware would try to use sudo and fail (plus Secureblue’s endorsement). But now that I think about it malware probably wouldn’t keylog my password and use systemd anyway, but instead use something less tedious and less distro-dependent like a privilege escalation attack. I’m wondering though, are you saying that you think run0 is more vulnerable, or that it shares a massive attack surface with sudo?

              I guess the value of browser escape vulnerabilities explains why I’ve never gotten any malware despite my risky web browsing. Though browser extensions still pose a risk and being a Firefox users I suspect that such value is low enough to use for run-of-the-mill malware (though probably just for Windows). I’ve heard a fair few times about thumbnailer attacks, but no real detail from KDE about what if any mitigations they have in place.

              • moonpiedumplings@programming.devEnglish
                1·
                12 hours ago

                less distro-dependent like a privilege escalation attack

                These also are valuable. Less valuable than browser escapes IMO though.

                A keylogger is more likely, and it’s just as possible with sudo as it is with run0. They would replace sudo, run0, doas, etc with a fake command (since that only require access to the user), that either keylogs, or inserts a backdoor while it does the other sudo things.

                I’ve heard a fair few times about thumbnailer attacks, but no real detail from KDE about what if any mitigations they have in place.

                Please ignore the entire cybersecurity hype news cycle about images being used to spread malware. They often like to intentionally muddy the waters, and not clearly explain the difference between a malformed file being used as a vulnerability to exploit a code execution exploit, and an image file being used as a container for a payload (steganography). The former is a big deal, the latter is a non issue because the image is not the issue, whatever means the malware actually used to get onto the systems is.

                Here’s a recent example of me calling this BS out. The clickbait title implies that users got pwned by viewing a malicious image, when in actually it was a malicious extension that did the bad things.

                Unless you are using windows media player, the microsoft office suite, or adobe acrobat, code execution from loading a media file is a really big deal and fixed extremely quickly. Just stay updated to dodge these kind of issues.

                As for zero days, unknown and unpatched vulnerabilities, again, that’s a different threat model because those exploits cost money to execute. Using an existing known (but fixed in updated versions of apps) is free.

                • FoundFootFootage78@lemmy.mlOPEnglish
                  1·
                  11 hours ago

                  Please ignore the entire cybersecurity hype news cycle about images being used to spread malware.

                  I’ve heard of thumbnails being used to deliver malware. Specifically the idea that “thumbnailers” are javascript code included in the file that will run in order to generate a thumbnail and they have the potential to deliver malware. After an arduous search I found this article https://thehackernews.com/2017/07/linux-gnome-vulnerability.html suggesting a vulnerability in the thumbnail generator for windows executables on GNOME allowed it to be used to deliver malware because the file name contained code that was executed by the thumbnailer. I’m still entirely unclear about what a thumbnailer even is (whether it’s local or remote code) or what my original source was. For now I’ll just turn off thumbnails for all but images and hope that counts as adequate security.

    • FoundFootFootage78@lemmy.mlOPEnglish
      11·
      16 hours ago

      I heard that the sandbox on Fedora (and all major distros) is relatively weak, and pulseaudio is a known escape vector for webpage malware. So I’m not 100% Fedora is reasonably secure.

      SB isn’t immutable BTW. I wish it was because I like the idea of immutable distros (for people who don’t use Arch) but it isn’t.

      • Aganim@lemmy.world
        2·
        7 hours ago

        Fedora was one of the first to get rid of pulseaudio and replace it with Pipewire, so that shouldn’t be an issue.

      • JustEnoughDucks@feddit.nl
        1·
        11 hours ago

        I am a bit ignorant about fedora security, but doesn’t pretty much everyone run Pipewire now and not pulseaudio?

      • somethingsomethingidk@lemmy.world
        1·
        14 hours ago

        What do you mean by sandbox here? Fedora has selinux by default which adds an extra layer of security. If you really want a “sandbox” qubes is probably the way to go. It runs everything in virtual machines, so if there was a browser escape they would still have to eacape the vm. It would be an very sophisticated attack and nothing you have to worry about.

        And pulseaudio is fine lol what you’re describing would certainly be assigned a cve and the only cves for pulseaudio are all denial of service except for some back in 2009.

        • FoundFootFootage78@lemmy.mlOPEnglish
          1·
          13 hours ago

          By Sandbox I mean that the apps I install should only have access to the files in a dedicated directory. Mullvad seems to do this on Kubuntu, there’s a .mullvad-browser folder in my home directory and whenever I try to upload or download an image using it I find myself unable to navigate away and instead need to use my file manager to do so.

          I’m not really interested in QubesOS. As above my first priority is running Linux and while the virtualization in QubesOS interests me it’s not an operating system I want to use.

          I heard the pulseaudio thing from this source https://profincognito.me/blog/security/browser-engine-security-comparison/ although it was uncited so it may be BS.

      • just_another_person@lemmy.world
        21·
        16 hours ago

        Absolutely not true 🤣🤣

        Where’d you hear this?

        Also, Silver blue is immutable. You are just full of bad info, bud.