I didnt know these existed!
What is this? These are images based on ublues “starting-point” toolkit to create modified variants of Fedora Atomic (the name for all atomic, immutable etc distros).
This means everyone can create the Distro they prefer, with programs, settings, services, udev rules, wallpapers, hardening etc. exactly as they want, while keeping just these diverging from upstream.
Have a look at this, Linux Mint ;D
So these images use GrapheneOS’ses hardened kernel, maintained by anthraxx and the hardened memory allocator maintained by the Divested Computing Team and GrapheneOS
So the result is a project with somewhat of a difficult (but currently working) 3rd party dependency, but the result is very close to upstream and a drop-in replacement.
Just like with ublue, all you need to do is rebasing to the unsigned image, rebooting and rebasing to the signed image. The guide is in the repos!
Its important to test it, and help the developers maintain the components!
Very interesting indeed! And thank you for raising awareness!
There’s another similar project that’s still WIP and that hasn’t received a lot of development recently. Though, its maintainer does provide hardening scripts for Fedora’s Atomic distros that are worth looking into. Hopefully, we might even expect a collaboration of sorts between these projects early next year 🤞.
Yes! Its not that hard as the changes are not big.
That specific distro I linked is veeeery opinionated, installing Chromium, removing Flatpak and even software stores. So how am I gonna install software now, layering? Its a bit of a joke on “security” I dont get with all that namespace stuff. I guess this just doesnt work with Flatpaka and to my knowledge flatpaks are more secure than RPMs
installing Chromium
This wouldn’t sit well with most privacy conscious folk out there. Though, I can understand it from a security point of view. Especially, when one notices that Chromium isn’t installed from Fedora’s repos, but instead the RPM is built to offer a more up-to-date version that should provide improved security compared to the stable version.
removing Flatpak
Probs for the sake of disabling unprivileged user namespaces; as you might have correctly alluded to.
even software stores
I imagine for the sake of minimizing attack surface.
So how am I gonna install software now, layering?
The Nix package manager is installable on Fedora’s atomic distros, so perhaps that route is worth exploring.
to my knowledge flatpaks are more secure than RPMs
To my knowledge, Flatpak’s sandbox indeed isn’t achievable by default with RPMs; unless one knows how to properly utilize SELinux to that effect.
Not sure about SELinux and unofficial Chromium though.
Yes pretty much thats the state.
Sandboxing… people argue always about that, Firefox RPM, Firefox Flatpak from Flathub or from Fedora (which is incomplete lol), or Chromium.
I am no expert but started using Firefox RPM again as its the fastest.
True! You could use Webapps for many things.
I have to say I dont like google but I very much like a streamlined and efficient OS like Android or ChromeOS.
Even having a webview is so important… wtf is electron, why??
But you just lack so many features. Like people saying they are okay with no doubleclick or even right click, thats so bad.