So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.

My priorities are:

  1. Using Linux.
  2. Using Firefox.
  3. Security, within reason.
  4. Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).

My options are:

  1. Fedora Kinoite
  2. Fedora KDE with some hardening
  3. Secureblue

My needs are:

  • Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
  • Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
  • Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
  • Sound: Bluetooth headphones, Sound, Printing (Optional)

I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.

On Firefox:

  • I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
  • Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
  • In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
  • Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
  • I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).

Security goals:

  1. I want to make sure the software I install to not have access to anything it doesn’t need to.
  2. I want to make sure that any website I visit won’t be able to access my file system.
  3. I want to make sure that my browser extensions won’t be able to access my file system.
  4. I want to use a distro that’s somewhat resilient against supply chain attacks.
  5. Proximity to upstream for timely security patches.
  • FoundFootFootage78@lemmy.mlOPEnglish
    1·
    12 hours ago

    I’m gonna have to try secureblue and only switch when I find something that doesn’t work. I’m not entirely sure that Firefox works at present.

    Trivalent doesn’t support extensions https://secureblue.dev/faq#trivalent-extensions but I only need those extensions on Firefox. My backup browser is mostly for sites that involve online purchases as it’s too much of a hassle with noscript.

    Other than that thank you for your advice.

    • N.E.P.T.R@lemmy.blahaj.zoneEnglish
      1·
      7 hours ago

      To use Firefox, you need to use ujust with-standard-malloc firefox (or something like that). It also needs user namespaces (same with Mullvad VPN/Browser), run ujust set-unconfined-userns on

      Follow these steps to make Firefox run with standard malloc:

      For Firefox with no sandboxing …

      • cp /usr/share/applications/firefox.desktop ~/.local/share/applications/firefox.desktop
      • Edit the newly created file so any line that starts with Exec=firefox to Exec=ujust with-standard-malloc firefox

      For Firefox with Bubblejail, assuming you have already created a profile named Firefox and generated the desktop entry. Edit the file ~/.local/share/bubblejail/instances/Firefox/services.toml and add the following snippet:

      [debug]
raw_bwrap_args = [
    "--ro-bind",
    "/dev/null",
    "/etc/ld.so.preload",
    ]