So, in the end, it sounds that is better to use Secureblue as it is

It ultimately depends on what you wish out of your system. For a general use system, I can’t fathom myself preferring Bazzite over secureblue; simply for how secureblue’s superior security comforts me. However, Bazzite would definitely be preferred on a HTPC/“game-console” device. Ultimately, it depends on what you wish out of your system. As we are talking on /c/privacy, secureblue is definitely the preferred system within that context.

FWIW, secureblue has also (very recently) been approved by Privacy Guides. They’ve yet to update their recommendations page, though. It will likely be mentioned alongside Kicksecure.

since it seems to support quite a lot of the things that Bazzite does. Am I following this right?

Close enough. Usability-wise, it’s pretty smooth sailing after first setup. There are some minor things like how Waydroid works on Bazzite, but doesn’t on secureblue (at least, it didn’t when I tried it the last time). But, aside from those, it’s definitely a very viable daily driver. Just ensure to do a thorough read of their FAQ and Articles.

Fair enough. Thanks for the clarification!

Was this a general conservative outlook/take on change?

Or are you hinting at something? If so, would you be so kind to elaborate?

Going from Linux Mint to Qubes OS could be rough. You’re warned ;) .

secureblue absolutely does.

Qubes OS does too. But that’s becomes dom0 and most of the qubes you’d interact with are just Linux. But the qube can be based on BSD instead. Heck, you could have it based on Windows even. These qubes are VMs; so you can basically do whatever you want with them. The heavy use of virtualization is exactly what makes Qubes OS as secure as it is.

Not the one you asked, but please allow me give my take on the matter.

Do you know if you can still do everything with it? Like atomic already has its own limitations and quirks. I can imagine there are bigger limitations with this.

Being derived from Fedora Atomic, already comes with its own set of limitations; like being limited in which kernel mods you can make use of (without reinventing the wheel), or how UKI is unsupported or how you should probably create your own image if you want to populate /usr. You can’t even install software from any repository; e.g. installing the ProtonVPN RPM has been hit or miss for me.

And, on top of this, secureblue’s hardening does (strictly) limit this even further. Most impactful, so far, would be the inability to use sudo or anything like it. Instead, run0 is suggested. I’m 100% sure that run0 is better. However, I’ve had at least 1 occasion on which the software doesn’t know how to properly interact in this setting. Ultimately, I’d have to give the blame on the software that doesn’t properly support run0. And, perhaps, you could help address the issue by opening a bug report related to it. But it’s definitely something to keep in mind.

Finally, note on first setup you’re walked through the many different additional hardening that can be reverted based on your needs. Just be aware of that fact.

Like can you install driver-level stuff like tablet drivers

Maybe. Depends on what exactly it is.

GPU/CPU control

I have.

udev rules

Shouldn’t be a problem either.

etc… I guess I don’t really know the implications of the extra hardening.

If you’re interested, I suppose the best course of action would be to find a secondary device of yours and setup it to your heart’s content with secureblue. Whenever you face a roadblock, consider paying a visit to their discord server for support; they’ve been a great help so far. If, at some point, you find something you absolutely can’t do, then you’d have to make up your mind on what you deem more important. Wish ya the best of luck!

To add onto what N.E.P.T.R said, it is technically possible to make a custom amalgamation of Bazzite with secureblue’s hardening. However, it would be neither here or there. Some discussion of it can be found here. IIRC, it was ultimately deemed counter-intuitive as a gaming-distro inherently conflicts with a hardened one.

Finally, we shouldn’t disregard the technical part of this; it’s IIRC one of the reasons why the Bluefin-variants of secureblue were eventually disbanded. It frequently had a lot of interesting bugs that were simply not present on other secureblue-images. This isn’t on Bluefin either, as the non-hardened edition worked as you’d expect.

I believe your confusion comes from the following line: “secureblue does not claim to be the most secure option available on the desktop.”

Which is simply their acknowledgement that more secure options like Qubes OS exist. Note, however, that Qubes OS is not based on Linux, but instead on Xen.

My all-time personal favorite is probably MarkText. I’m actually surprised no one else has mentioned it; knowing it has garnered almost 50k stars on GitHub.

I really like it for its realtime preview and support for mathematical expressions. Though, it’s wonderfully feature-rich; so please check out its README for the full list.

Unfortunately, it (currently) doesn’t enjoy as much development as it previouslu did. Which has ultimately led me to pivot to ghostwriter more recently.

Lots of good answers already, but a hidden gem has yet to be mentioned: Endless OS. TL;DR: it’s an immutable distro based on Debian. As for the home directory, please consider one of the many solutions provided by others in this thread. Good luck!

Thanks for the nice chitchat! Have a nice day!

Since you seem to know a lot about it let me ask you a couple of things:

😅. I’ll try my best 😜.

Bazzite is immutable, right? I’m sure I saw that somewhere and Fedora Atomic is also immutable IIRC

It is correct that the contents of / is immutable at runtime aside from /var and /etc. However, note that a lot of folders like /home and /opt are actually found in /var in response. This is later ‘fixed’ with symlinks and whatnot. In effect, only the contents of /usr (aside from /usr/share) is off-limits (or ‘actual’^[1] immutable).

How does the config changes not get overwritten?

I believe my previous paragraph already answers this. But, to be even more elaborate, Fedora Atomic makes use of libostree (read: git for your OS). With this, only the pristine images are ‘swapped’ in-between updates (or rebases^[2]). Your changes to the system are found in /var, /etc and in so-called ‘layers’ only and are not swapped out. Some of these changes are kept track of^[3], but most of them reside in /var and will not be touched by libostree.

The whole point of an immutable distro is to prevent changes to files to ensure things keep working

Kinda. The important part is that changes are prevented for the sake of a functioning system. But the entire system doesn’t have to be locked down in order to achieve this. This does mean that it’s actually not that hard to break your system. Just rm -rf /etc and your system will probably fail to boot into the very next deployment. But, as Fedora Atomic keeps at least two deployments, you will still be able to access the previous deployment in which you tried to delete /etc. So you’re protected from accidental mishaps as long as you’ve got at least one working deployment. Thankfully, you can even pin working deployments with the ostree admin pin command. And…, just like that, the distro has basically become dummy-proof. I’m sure it’s still possible to break the system, but you’d actually have to try 😉.

So, in short, Fedora Atomic definitely intends to be a more robust system and succeeds. But, it does so while giving the user agency (and some responsibility).

How are packages installed?

I think everything of importance is mentioned in the docs. What is it exactly you want to know?

The docs you sent recommend flatpak, which while very good in theory still has a small fleet of apps available.

But that’s just the first of seven “package formats” listed in the docs 😜. The other six will assure that your remaining needs are fulfilled.

Also they suggest using distrobox among other things, that’s definitely not beginner friendly, although an interesting concept for an advanced user to have your main machine be an immutable host to any system you want.

This is obviously anecdotal, but Fedora Silverblue was the first distro that I used. I was a complete Linux newb. My coding background was also just a Python-course on Uni. But, somehow, in the very newbie-hostile environment back then (read: April 2022), I managed with Toolbx. So…, yeah…, I can’t relate. Sorry*. You might be absolutely correct. But, as I said, I don’t recognize this from my own experience. I wish I had a video-tutorial back then, though. Honestly, with the amount of hand-holding Bazzite and its docs provide, I believe a newbie should be absolutely fine.

1. It is even possible to overwrite this. Both in containerfile (requires creating own image) and on device (very hacky, not recommended).

2. Rebasing is the process by which a different image is selected to boot and run your system from. For example, with this, one can switch from Silverblue (GNOME) to Kinoite (KDE) without reinstallation. This can even be used to switch from a Fedora image to a Aurora/Bazzite/Bluefin/secureblue image.

3. These include the software you’ve installed through rpm-ostree (or soon dnf). We call these layered packages, based on the analogy that the packages aren’t part of the image but are magically tacked on without you noticing anything finicky. It’s quite magical. Besides that, any and all changes made to /etc are also kept track of. The former you can see by invoking rpm-ostree status, the latter by invoking ostree admin config-diff.

Isn’t Bazzite an immutable OS with very limited package availability outside of gaming?

Nope. It’s basically Fedora Atomic with a lot of special sauce to make onboarding as pleasant as possible. Especially if you want to use it for gaming; be it as a HTPC/console or on desktop. Thus, like Fedora Atomic, you’ve got access to many different package managers to get your needs covered. Heck, Bazzite and its uBlue siblings actually improve upon Fedora Atomic in this regard (at least by default). Refer to this entry in its documentation for the finer details.

but I’m not sure it would be a good experience for someone just getting into Linux, since most of the help he will get online

We’ve all been faulty of this (read: searching on the internet), but we should instead consolidate Bazzite’s documentation first. Only after it isn’t found there, should one consider going to their discussion platforms; be it their own forums or their Discord server. Searching on the internet is IMO a no-go, especially if one isn’t well-versed yet.

will direct him to edit config files which would get overwritten on update.

This doesn’t apply to Fedora Atomic. Perhaps you’re conflating this with SteamOS.

Yeah, it seems that they even acknowledge that Tor and Mullvad are better for extreme threat models.

"The only browsers that can provide sophisticated fingerprinting protection against advanced scripts are Tor Browser & Mullvad Browser.

If you have an extreme threat model (Ex. Political dissident, journalist, or if you are in some other kind of high risk situation), please use one of those browsers."

I suppose we’d have to commend them for being fair.

I’ll keep it relatively brief for fearing unwieldiness.

I’m really not a fan of the “we can’t do anything so let’s sit and wait until everything gets worse” philosophy.

I agree. I hope you’re not implying I’m stating otherwise.

but it was accepted because it was the best thing available at the time for the purpose

More like Red Hat pushed it as the new standard and the rest followed suit. Distro maintainers are pragmatic and reasonable people. They’ll more often than not go for the path of least resistance.

A clear cut example of this would be how most distros don’t opt for btrfs in combination with time shift or snapper for snapshot functionality. So clearly, they are not really trying to offer the best solution. Instead they just try to push a system that’s as easy as they come for them to maintain and act accordingly.

the community needed a standard

And we already had one: SysVinit. Don’t try to rewrite history.

I initially started writing a reply on the remaining text but noticed that my writings were continued to be misunderstood. Therefore, I decided to retract any further reply and will choose to stop engaging in this conversation. Thank you for the engagement. However, I would like to offer a small piece of advice as a fellow Lemmy user:

In future conversations, whether they are debates or discussions, please try to understand what the other person is saying. Avoid creating a straw man argument. If needed, ask for clarifications to ensure you fully grasp their point. If you continue to have difficulty understanding, consider alternative approaches to gain a better understanding.

I don’t know how this conversation deteriorated, but I’ll let it be. Thank you once more. For the record, I don’t think this conversation will be productive moving forward. You seem to be focused on your own points without trying to understand the other side, which is fine. You don’t have to try to understand me; I may not be important. However, the ideas I try to convey might be, and it’s more important to consider and understand those.

Anyhow, I wish you the best.

I think I better understand you now. Btw, I had changed my previous reply moments before I read your reply. My bad*.

I meant that I support this distro as long as it’s not immutable because I’m an opponent of immutability on the desktop. If they’re also making other kinds of systems, immutability may be beneficial there.

Have you been around since before the introduction of systemd? Systemd’s introduction was a lot more invasive and threatening to ‘traditional’ distros than immutables are today. Distros changed to systemd over night. Only Arch and Debian had communities that succeeded in establishing systemd-less derivatives. By contrast, the interest for immutability in existing distros (almost always) means a parallel distro is created with (at least initially) immutability tacked on.

So, please correct me if I’m wrong, but I feel as if you’re being too aggressive/overreactive considering how nonthreatening immutable desktops are to traditional distros.

Sometimes innovation change is bad or rushed (such as removal of X11 on Fedora).

Fixed that for you 😉.

Often only people with the newest hardware can benefit from it anyways.

Fair, but as unfortunate as it is, that’s basically a consequence of consumerism. I don’t like it, don’t get me wrong.

They don’t care about regular users making the products worse for them which is basically egoism.

I don’t think this applies to Linux overall. Fedora (and Red Hat by extension) have a vision that made them default to Wayland by default. So you’d be right to blame their policy. But this is nothing new for Fedora; they’re known to push bold changes. You might not like it or disagree with them. Fine. But is it important enough to hate them for it? Isn’t life too short for that?

There is a reason for proprietary products having legacy support after all.

Are you implying that doesn’t apply to Linux? I don’t understand. On an open system like Linux is, this doesn’t really seem to hold much weight. You can swap stuff around as you see fit.

They claim to have a lot of features.

What features are you referring to?

As I understand it, it’s basically trying to answer the following question: What if we could start over and use existing building blocks to make a simple yet complete system using the Linux kernel? All changes have been made in accordance to that basic premise. From replacing GNU in GNU/Linux with BSD, to choosing dinit over systemd as init system.

I hope they succeed (as long as it’s not immutable)

Are you one of those with a raging hateboner towards everything immutable? I ask this as I don’t see any reason to bring this up in the first place.

FWIW, I absolutely hope for it to succeed as well. Innovation (of any kind) pushes the industry forward. When people oppose innovation for whatever reason, it always reminds me of Henry Ford’s famous quote: “If I had asked people what they wanted, they would have said faster horses.”