99% of Linux users don't experience 'random' boot problems. Ever.
The only thing is that thereβs not a lot of distro-specific guidance out there
I'm genuinely curious to hear what's missing here.
Not OP. But, FWIW, I've been daily driving secureblue for over a year now. And it has been wonderful experience.
Note that, by virtue of its superior security model, preconceived knowledge may not translate well. However, if you read its documentation and FAQ, then I'm pretty confident that you should be fine. Thankfully, if something's not clear or if you're facing issues, then you're in good hands through their Discord.
Going from Linux Mint to Qubes OS could be rough. You're warned ;) .
While it could be functional as a cursory watch, it doesn't seem that Michael Horn has done a good job investigating the subject matter. So, no, I actually disagree with it offering a good explanation. Granted, I couldn't find any video that does this subject any justice; more often than not, they just tend to overgeneralize or oversimplify.
I think your response has so far been the most comprehensive. Thank you so much.
It has been my pleasure :D ! Thank you for reading through all of that π .
"Tinkering" in my case is pretty broad. You're correct when you suppose that I like to mess with UI aesthetics and workflows. The other misc tinkering I more mentioned in case there's some distros that are unsuited to working with strange or niche programs (such as the media encoding and physical media management stuff I mentioned). It sounds like that's not really much of a problem though. Anyway what counts as "niche" is very subjective so probably wasn't that helpful to mention.
Thanks for the clarification!
I have not heard of Bazzite.
Interesting. Its fan base can be rather vocal. Furthermore, it has been enjoying a very healthy amount of media coverage. Digital Foundry dedicated a video on it. And even LTT briefly mentioned it recently.
It kinda looks to be perfect if I end up going with Fedora (It's the most recommended so far).
I didn't quite capture the intent of this sentence. My bad. Would you mind elaborating/clarifying/explaining? Apologies if I'm coming across as obtuse π .
It seems to be quite new
Correct.
and I don't want to jump on just for it to be a flash in the pan.
I understand. I absolutely agree with you that e.g. Fedora's future is more certain than Bazzite. Even if the latter recently reiterated their continued support.
As I understand it though, even if it is, it's easy enough to change distros.
FWIW, the complete Fedora Atomic ecosystem -that Bazzite is part of- allows changing distros with a single command. The only limitation being that the designated distro has to be part of the ecosystem as well. So, even if Bazzite would implode one day after you've switched to it, you could just 'rebase' to (say) Fedora Kinoite.
Others have said to not be worried about locking oneself in
Agreed.
and to just jump in and try.
Kinda. It's more nuanced I think π .
Also not a fan of "Gaming Mode" style UI but I guess I can just not use it.
Exactly. Bazzite on desktops/laptops defaults to the DE after logging in. So, as you've noted already, you don't have to use it ;) .
Again, thank you very much for your detailed response.
You doubled down on the kind words. I appreciate it. Thank you for being you!
I have daily driven (a) Fedora(-based distro) ever since I started using Linux. So I'm absolutely biased towards it. However, as Fedora is a semi-rolling release distro that really likes offline updates that involves a reboot, it simply falls flat when it comes to satisfying OP's needs. They would have a very similar experience to their current one with openSUSE Tumbleweed, the very same they actively want to get rid of.
As I noted in the footnotes of this comment, Qubes OS is technically not a Linux distro as it's based on Xen instead. But yeah, it's without a doubt the gold standard when it comes to secure by default desktop operating systems; far surpassing even Kicksecure and secureblue.
As for Tails, while its amnesiac property is excellent for protection against forensics, it's not meant as a daily driver for general computing; which was also touched upon in the aforementioned footnotes.
Thanks for the clarification!
If you trust both the source and the file, then downloading by itself shouldn't constitute a problem. Supply-chain attacks are still possible, but that's a hard problem to solve anyways. I suppose I'd only trust Qubes OS to handle that gracefully.
For general browsing, GrapheneOS-folk would advice against Firefox(-based browsers). Instead, they'd recommend (something based on) Chromium. Personally, I do follow that advice. But I understand if you'd like to stick to Firefox(-based browsers).
Coming back to Linux Mint, I won't go over my (personal) qualms with the security model of the distros it's based on. But as Linux Mint offers one of the best onboarding experiences, it would be a disservice to lead you elsewhere. Become comfortable with Linux through it. And, perhaps one day, if you feel like venturing elsewhere, you can try out distros that offer better security. Thankfully, Linux Mint's OOTB security should be sufficient until then.
As for the article, everything except for the fourth recommendation is a W. Utilizing ClamAV could be cool, but it's based on a very naive understanding. You wouldn't want an untrusted file on your system in the first place. Obviously, a lot more mileage^[1]^ is possible. But one has to learn to walk before they can run π.
- Note that the information and instructions found on the excellent ArchWiki often work on and/or apply to other distros as well.
Yes and no.
Has it got its own set of rules you'd have to learn and thus an accompanying learning ~~curve~~ bump? Sure. Which, in actuality is mostly just knowing that Flatseal is your go-to whenever a flatpak causes issues.
Is it a surefire method after you've become accustomed with it? Absolutely. All kinds of jankiness can prevent any piece of software from working on your system. With Flatpak, especially on distros that enable it by default, you at least know that your system isn't the culprit.
Besides, Flatpak is enabled by default on Linux Mint. The PCSX2 flatpak is even verified. So no additional setting up or whatsoever is required.
What makes you weary besides what's already stated above?
I was hoping that this reply wasn't needed π . In all fairness, some of the replies found on ycombinator definitely offer legitimate criticism. However, secureblue's dev team didn't just ignore all of that as they can be found discussing on the very same thread. Since then, they've actually implemented changes addressing these concerns. For example:
Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege. And flatpak is a lot of attack surface no matter how you run it, and the packages have a bad security reputation.
This was raised as a good objection to some of its design choices. This eventually lead secureblue's dev team to maintain twice as many images for the sake of offering images in which this was handled differently. And it didn't stop there, it has continued to output a lot of work addressing concerns both found on that thread and outside of it. Consider looking into its commit history. Heck, even some of the GrapheneOS-people have provided feedback on the project.
Of course, no one dares to claim it comes close to Qubes OS' security model. Nor is this within scope of the project. However, apart from that, I fail to name anything that's better. Kicksecure is cool, but they've deprecated Hardened Malloc; a security feature found on GrapheneOS and that has been heavily inspired by OpenBSD's malloc design. By contrast, secureblue hasn't abandoned it. Heck, it elevated its use by allowing it to be used with Flatpak; something that hasn't been done on any other distro yet. This is just one example in which the secureblue dev team and its various contributors have shown to be very competent when it comes to implementing changes that improve security beyond trivial checkboxes.
Peeps may name other hardening projects. But fact of the matter is that I'm unaware of another hardened Linux project that's quite as feature-rich:
- Tails; cool project that does wonderful work against protecting one against forensics. But that's literally it. It's not even meant as a daily driver.
- Whonix; developed somewhat together with Kicksecure, so this one actually has put in substantial work into hardening. But, again, not meant to be used as a daily driver.
- Nix-mineral; cool project, but it's still alpha software by its own admission.
- Spectrum OS; great idea, but it's not even out yet.
Please feel free to inform me if I've forgotten anything. So, basically, if you want a hardened daily driver for general computing, then one simply has to choose between Kicksecure and secureblue. I wish for both projects to flourish, but I've stuck with the latter for now.
Seems cool, but it's unfortunate that the project doesn't seem healthy. Last commit was 5 months ago. Furthermore, its maintainer has even explicitly mentioned that the future of its project is uncertain. At least, we gotta give them credits for being transparent.