Pushing aside that the last paragraph isn't as carefully written as the first, I feel very conflicted with the main recommendation. On one hand, the Linux enthusiast in me absolutely agrees with it. While on the other hand, I remember how 'second-day-on-Linux'-me (while not using any of the recommended distros for beginners) struggled hard to fight against the temptation of returning back to Windows.

IMO, if anything, we need better platforms that function as guided tours for newcomers.

so I run sudo nano /etc/default/grub

For improved security during file edits that require root access, it's highly advised to use sudoedit (or sudo -e). This method is considered the standard practice to avoid the security pitfalls associated with directly invoking editors with sudo. To ensure the use of nano with sudoedit, simply set the VISUAL environment variable with export VISUAL=nano before running sudoedit . Alternatively, for a one-off command: VISUAL=nano sudoedit /path/to/file.

Please note that while sudoedit is a safer starting point, it's not the only method available. Alternatives such as doas, doasedit, or leveraging polkit with pkexec can offer even more controlled and secure ways to manage file editing with elevated privileges. However, it's perfectly acceptable to stick with sudoedit, as it's a commonly trusted tool.

Be aware that direct usage of sudo nano or other editors is strongly discouraged. It bypasses important security mechanisms and can lead to inadvertent system-wide risks.

EDIT: changed VISUAL=nano sudoedit to VISUAL=nano sudoedit /path/to/file.

Does anyone happen to know if bubblewrap is more powerful than bubblejail (or vice versa). Or how they differ in the first place (beyond CLI vs GUI)?

A quick search revealed that others have experienced issues that may be related. In order to disclose that this is different from the issue reported by others, please consider the following:

After updating to the latest kernel, shut off instead of reboot. After which you turn your device back on. If strict adherence to 'rebooting' like this prevents the issue from coming up, then it's likely the aforementioned known issue with the latest generation of AMD GPUs and recent kernel updates.

Please consider to report back on your findings.

Until now, I had been under the impression that KDE was just arch Linux itself.

Like others have already noted, KDE Plasma^[1]^ is widely available and thus not only limited to Arch Linux. Heck, the same applies to 99% of the available software on Linux; universal package managers^[2]^ have been vital to this.

Would you happen to know a good way for me to learn more about Linux, and how to put it to good use from a beginner’s perspective?

As you already own a Steam Deck, I assume you want to look into how you may improve your mileage out of it. Others have already noted how you may do so for more traditional systems. But the way Linux is utilized on the Steam Deck is rather unique. It utilizes immutability^[3]^ (i.e. the inability to make certain (permanent) changes) which makes it rather harsh to change certain parts of the system; SteamOS' implementation might even require you to redo some of these changes every so often... which is probably not what you were expecting. To circumvent this, perhaps it's worth exploring other SteamOS-like distributions that are more friendly towards tinkerers. There are many to choose from; perhaps this breakdown may help you with making an informed decision (even if it's found on a page dedicated to the Legion Go).

1. That is, the desktop environment (i.e. the piece of software responsible for how you visually interact with your system) that team KDE works on. They're also responsible for many other projects; like Kate, Kdenlive and Krita etc (these are often easily recognized by their names that start with a "K").
2. We may refer to package managers as the original App/Play Stores; a piece of software used to find, install and upgrade software. For a long time, every major distribution (like Arch, Debian and Fedora) had its own repository (i.e. set of installable software through the package manager). This meant that, it was very conceivable that software may be packaged (i.e. distributed and maintained through the repository) on some distros (abbreviation for distributions) but not on others. In the last couple of years, so-called universal package managers (like AppImage, Distrobox (technically this doesn't belong here, but it does allow access to packages found on (other) distros), Flatpak, Guix, Nix and Snap) have become alternative package managers that are distro-agnostic. And have slowly, but surely, ridden Linux distros from concerns related to package availability.
3. There's a lot to say about immutability. But for now, it's most important to note that not all systems that are (sometimes falsely) referred to as immutable are created equally. For example, the respective implementations for Bazzite, Jovian NixOS and SteamOS differ immensely from one another. Arguably, referring to Bazzite and Jovian NixOS as immutable with 'unchanging' being what's implied, would be a major disservice to both projects.

podman does not autostart containers after boot. You have to manually start them, or write a start script. Or create a systemd unit for each of them.

FWIW, I'm on Bluefin-dx (one of uBlue^[1]^'s images) and I've noticed that my containers autostart at boot since I've rebased from Silverblue to Bluefin-dx. Mind you; I'm not necessarily advocating for you to make the switch to Bluefin-dx, but it's at least worth finding out how they've been able to achieve that and perhaps implement their ways for your own benefit.

1. Which are mostly Fedora Atomic images with some QoL and thus SELinux, Podman (etc.) are just baked in as you would expect.

So I would like to ask a couple of questions:

Qubes OS (Tried it twice, not ready yet)

Is Qubes OS not ready yet for your intended workflow/usage? Or are you not ready to make the complete switch (yet)?

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use.

Unfortunately, in almost all cases, increased security/privacy is achieved through the loss of convenience. Therefore, you should ask yourself what the minimum level of security/privacy is that you absolutely require/need. How's your threat model defined (if at all)?

My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

I agree that there's still a long road ahead until we have on Linux whatever is found on GrapheneOS or Qubes OS. I'm aware that you can technically utilize VMs on any distro, but the experience will not be as streamlined (nor as secure) as you may find on Qubes OS. But, Flatpak does offer some sandboxing. And while it may not be as powerful as you may want, and some apps may not utilize portals as they should. Still, it's definitely worthwhile and perhaps the best we've got currently. Furthermore, bubblejail allows you to (relatively easily) utilize (some of) the technology that's used to sandbox Flatpak apps for all your non-Flatpak apps. It can be found on Copr if you choose to stick to Fedora.

On that note, the maintainers of the aforementioned Copr package have built an interesting project for those that seek security-focused (or simply hardened) images of Fedora Atomic; (aptly named) secureblue. It's still a relatively young project, but their innovations have definitely been noteworthy and it seems to have a bright future ahead.

While we're in the vicinity of 'hardened-for-you'-distros, we should mention Kicksecure. By contrast, this is a well-established distro by the people that also develop Whonix.

Without hearing your answers to my questions, I think these two are the primary candidates. Though sticking to Fedora ain't a bad choice either.

Thank you OP for sharing your evaluations on these distros! Everyone has their own biases, but they can still become valuable whenever more than one item/article is evaluated. Which is exactly what you've done. So kudos to you!

people are asking around about what’s the best distro for a newbie gamer

"newbie gamer" sounds cute. Did you mean newbie to Linux instead? Or perhaps newbie to Linux gaming?

Furthermore, are you also interested into a distro for yourself? Or to recommend to others? Or were you just interested in some of the distros you've been seeing and wanted to try a couple of them out?

I am highly considering using it as a daily driver.

Which would imply that you're at least (somewhat) interested in exploring a different daily driver. Are there any reasons you want to let go of your current daily driver?

Distrobox FTW!

While distrobox works well, I am worried that mismatches in packages could cause issues.

That should not be a thing in the first place. Though, if you prefer to designate a different home folder for the distrobox container, then it's worth noting that Distrobox does offer support for that.

I agree with the general sentiment. Thank you for mentioning that!

Though, the use of sudo nano might still pose a risk if any software found on the system is either vulnerable/exploitable, not trusted, or simply exploitative. In that case, like what's achieved through sandboxing i.e. not allow the software to go beyond their intended scope, it makes sense to put a limit on the capabilities of the software. And to that effect, the use of sudoedit still offers merit over sudo nano.

Though, if the user doesn't (already) rely on bubblejail, firejail, Flatpak etc for what they offer in sandboxing. And/or if said user simply doesn't care for the principle of least privilege, then the use of sudo nano is perfectly valid.

First of all, I applaud your efforts. Making an all-encompassing guide/flowchart that is able to answer all kinds of needs that new users might have is hard and not done in just a few sittings. And it seems you're willing to iterate a couple more times until you and the community are satisfied with the end result. That's just awesome and highly commendable.

As for my personal critique, perhaps it's noteworthy that I'm not entirely satisfied with the current setup. I think the following would align better with my personal convictions on how I would assist friends and/or family with these matters:

::: spoiler (long text)

• Step 1: Hardware probe. So, somehow establishing what we are working with as this sets severe limitations to our options. Personally I would divide this in three groups:
  • potatoes; suited to run only distros like antix, puppy linux etc
  • old(er) devices; suited to run DEs like Lxqt, Lxde and perhaps even Xfce etc
  • 'modern' devices; suited to run DEs like Cinnamon, GNOME, KDE Plasma etc It's of course important to note that someone with 'modern' hardware is absolutely free to run something like Xfce if they like its design choices (i.e. offering a very stable experience that's unlikely to change for the sake of change). Furthermore, special attention would go out to hardware for which it's known that it requires special attention (like Nvidia GPUs etc). This should result in picking distros that are better suited for running that hardware (like Pop!_OS and uBlue for Nvidia), but also distros that specifically target a piece of hardware; like what uBlue tries to do for Framework etc.
• Step 2: Investigate their intended usage and what software they would rely on. Do they absolutely need Adobe's Creative Suite? Well, then they should at least go for a dual boot or simply stay with Windows. The same would apply to any piece of software they might specifically need, but that simply does not work on Linux. Furthermore, their intended usage might be tied to their motivations for making the switch. Some of which would be: learning Linux, for Linux' improved workflow for specific use cases (programming, workflow benefits related to the use of tiling WMs, pentesting etc), privacy, reviving old(er) hardware, free as in beer, freedom to tinker to their heart's content, F(L)OSS ideology, transforming their hardware into a game console/HTPC/media-box, improved performance under some circumstances or just plain curiosity etc. Each use case comes with its accompanied set of viable distros. Of course, it's very hard to be exhaustive here. Therefore, you're absolutely forgiven for only focusing on some of the more common ones.
• Step 3: Update cadence. Some people hate updates with their lifes, or only tolerate security ones. Others, simply want the latest and greatest at all times. Simultaneously, some may want said updates to occur automatically in the background, while others want deliberate control in that aspect. Lots of different distros exist with lots of different approaches to how updates are handled. As updates are our primary suspects whenever breakage occurs, it's therefore vital that the update cadence is aligned with the user's preferences. Hence a distro should be chosen accordingly.
• Step 4: Priorities. Security vs convenience. Blank slate vs sane defaults. Control and responsibility vs 'managed'. Learning platform vs consumption platform. Means to an end vs end in itself. Performance vs stability; these two aren't mutually exclusive to each other, but helps in determining what the user finds important. Furthermore, ideally these should not be binary choices but allow steps in between the two ends. Finally, each of these choices should also be weighed against one another. Like, if someone highly values security over convenience and believes this choice is a lot more important to them than all of the others, then they should definitely consider Qubes OS for example. Similarly, other conclusions could be made based on a different evaluation etc.
• Step 5: Desktop Environment. Based on the earlier questions, only a handful of distros should remain or perhaps it's even somewhat expected that just a specific distro remains. Regardless, most distros allow different desktop environments to be installed and thus a choice should be made between the different available options. In the case of desktop environments, one should just try out the available ones until a decisive choice can be made. Switching later on is fine anyways. :::

Having said all of that, whatever is mentioned above is a lot more involved than what you have currently. Therefore, I wouldn't be surprised if you would deem most of it out of scope.

Moving on to the actual critique:

• While I (somewhat) understand why you've tried to tie one's preferences in earlier used OSes to a potential desktop environment they might like, I do think that this might set new users up for false expectations. Therefore, I would propose to not even go there. If you want them to make a conscious choice on the desktop environment, then perhaps implore them to boot a live USB environment in which they can explore it themselves. The only important thing to note would be that in all cases customization is allowed and thus they shouldn't necessarily abandon a DE for a minor issue as it's most likely easily solvable.
• If this gets good (and it certainly has the potential), then only the flowchart itself will be shared while the accompanied text might be disregarded. In hopes of ensuring that others also read the accompanied text, consider to either (somehow) include the text in the image of the flowchart or include a link to the text and ensure it's easily found and one is somehow able to easily access the text through the link. This might even require a shortened custom url that redirects to the text. The exact specifics are obviously up to you though.
• I can't agree with the inclusion of both Pop!_OS and Vanilla OS. Don't get me wrong, the potential is absolutely there. But both are currently in a major overhaul and need at least one or two proper releases to mature. Expecting new users to either start with the 'abandoned' old release which they might have to abandon themselves when they move over to the (eventually) matured new release or start with (at best) beta software that may come with a lot more trouble than worthwhile is IMO irresponsible.
• I got a ton of smaller (personal) nitpicks, but most of those are related to scope and/or preconceived notions and therefore not worth mentioning here.

Thank you for your elaborate answers!

Qubes OS has a very steep learning curve due to its difficult usability, so the answer would be “both”. I am willing to tackle and overcome, but I’m not ready to put in that work yet, if at all.

Qubes OS is definitely more involved than the average distro, so I can understand why you feel that way.

I have a really funny story regarding threat models. When I first got into privacy 2-3 years ago, I had the goal of getting as deep as I could (the “strictest threat model possible”) and work backwards to find out what I was willing to allow.

Hahaha 🤣, very relatable; I almost wanted to learn SELinux for hardening purposes. Thankfully, Qubes OS exists as my endgame, which deterred (most of) the motivation (and need) to comprehend SELinux in the first place.

I have a “subconscious” threat model. I have, over the past week, started working on answering the classic questions. I am trying to protect against “evil” corporations, and such, I must also protect myself against some low level government threats. My threat model “philosophy” is: I will not use a piece of software if it actively goes against me in terms of privacy. Windows, for example, is a pain to try to use while maintaining privacy.

We can work with that, though I kindly implore you to further work out your threat model. It will(/should) give you some peace of mind (or at least a security/privacy roadmap on which you can (slowly but steadily) work towards). If I would have to distill your philosophy, it would be something like "be protected from attacks targeted towards low(er) hanging fruit". Would that be fair?

You are the third person to recommend SecureBlue (I’ve been keeping track), and since it is a “Fedora Atomic spin” (Fedora Atomic as well as Atomic distros in general were also recommended three times each), I believe I will switch to it to see how it is.

Great choice! FWIW, I've also been on it for a couple of weeks now and I've really been enjoying it. Before, I had my own custom image that was built using the (legacy-)template from uBlue. I tried to harden it myself 😅, and I would argue I did and achieved some cool stuff with it. But, it's very clear that my technical knowledge doesn't even come close to that of secureblue's maintainers. I just wish I had rebased earlier 😅.

By the way, I love the mention of GrapheneOS, since that will eventually (finances be blessed) be my main mobile OS

I definitely agree with that sentiment. Btw, FWIW, I know for a fact that at least one individual that's associated with GrapheneOS has 'contributed' to secureblue.

I wish there was a true “Linux alternative to GrapheneOS”.

Hehe, without going into what that actually means and would entail, I agree 😜.

Which one(s)

Unsure if distrohopping the dualboot counts, but if it does, then the following was my path (note that after Fedora Silverblue was installed, it remained on the system; the two distros in between the two Silverblues were dualboots):

Fedora Kinoite -> Fedora Silverblue -> EndeavourOS -> Nobara -> Fedora Silverblue

why?

I started with Fedora Kinoite after spending 1-2 weeks on gathering information on distros. During the research-phase, I learned what distros are, their components, how to analyze the differences between distros, which components are ultimately more beneficial for me and thus slowly but surely the distro that would suit me best started to take shape.

My switch to Linux was on the basis of privacy concerns and Windows 10's mishaps on my laptop were what pulled the trigger, which in retrospect were probably caused by hardware faults. Regardless, as privacy was my main concern, security became paramount; as there's no privacy as long as access to your data is not secured off. Therefore Qubes OS, while not necessarily a Linux distro, would have been my first choice. But, unfortunately, my system wasn't capable of running it.

Therefore, I had to settle with something else. As my endgame is Qubes OS, I wasn't very interested in getting into the nitty gritty of Linux for the virtue of hardening it. Instead, I opted to rely on a distro that would do the heavy lifting for me. Such a distro wouldn't only have to be known for taking security very seriously, they also required an excellent track record. As such, I landed on Fedora, Kicksecure and openSUSE. Other projects that are known to take security seriously like Whonix and Tails aren't suited for general use. Furthermore, they're ideally used in conjunction with another system; Whonix as a VM and Tails accessed on a USB-stick whenever you require an amnesic operating system.

Choosing between Fedora, Kicksecure and openSUSE was hard based on these criteria only. The third and final criteria to seal the deal was atomicity. Like I mentioned earlier, my laptop had issues; it could randomly turn off. So I needed a robust system that could handle such disturbances and not die in the process. This is where the aforementioned atomicity comes into play, this ensures that the system either updates or not; no in-between messed up state due to a power outage or whatsoever. At the time, only Fedora had a somewhat mature system capable of atomic upgrades; namely Kinoite and Silverblue. The differences between these two were about their respective desktop environments. I hadn't experienced either of the two previously, but went initially for Kinoite for how KDE Plasma reminded me more of what I was already used to (i.e. Windows).

Fedora Kinoite came with its sets of troubles. It was still a relatively young project; it was the first release in which it was officially supported. As I knew how easy Fedora's Atomic distros made switching from one base to another, I just rebased to Fedora Silverblue with the rpm-ostree rebase fedora:fedora/35/x86_64/silverblue command and went on with my life 😜.

After this came the honeymoon-phase and I was really positively surprised by how well everything was going. From all the things I had done for the sake of privacy, switching to Linux was (and still is) my favorite. But as I was ever expanding my Linux workflow to include everything I did on Windows, I happened to reach a (seemingly) insurmountable obstacle; Davinci Resolve. No matter what I did on Fedora Silverblue, it was always functioning less performant compared to Windows; which in retrospect seems to be related to the fact that Davinci Resolve requires a dedicated GPU on Linux (though some workarounds do exist). In hopes of resolving this issue, I tried to install Arch as a dualboot. As this was pre archinstall, this was a miserable experience. And after a few tries, I still wasn't content with what I got and instead opted to install EndeavourOS.

EndeavourOS was pretty cool. I already liked what I saw from Arch within Distrobox and EndeavourOS was able to deliver an excellent experience (at least initially). Davinci Resolve worked better here than it did in Fedora Silverblue. And it was overall a pretty snappy experience, so I returned to it occasionally for other things (like gaming) as well. Until..., one day..., it just stopped working 🤣. Perhaps I could have done a better job by installing Snapper/Timeshift, but I didn't and didn't care enough for it to reinstall...

Of course, the departure of EndeavourOS did leave behind a void, so eventually I tried Nobara as I believed it might be capable to provide a similar experience. And I did like it, though not to the degree of EndeavourOS. Eventually this one also passed out 🤣.

Currently, I've just dismissed the idea to run Davinci Resolve on Linux and I'm more happy ever since 😜. For better performance during gaming, I've since been resorting to bazzite-arch and Conty. While performance shouldn't be as good as native CachyOS or other highly optimized gaming distributions, it's more than fine as is and the sub 5% performance/fps I'm missing out on is not worth for how much more convenient my current setup is.

FWIW, I do see myself utilizing Gentoo and NixOS in their designated qubes whenever the switch to Qubes OS occurs. But until then, I'm making the best out of Fedora Silverblue.

Thank you for the write-up! I liked it overall. Perhaps consider to have like a day in-between proofread sessions. This might have alleviated some passages for which I currently hold some minor nitpicks. It's clear that you've written it with care, but -at least in my case- I notice that my proofreading skills (somehow) are a lot sharper the next day (or something).

VSCodium wouldn’t see that I’ve installed the languages I did, nor find my font (Geist Mono Nerd Font).

Assuming you had VSCodium installed as a Flatpak, perhaps the pointers found in this excellent blogpost could help out with that. FWIW, I succeeded with a similar endeavor without installing the IDE in the Toolbx/Distrobox.

But then again some people use things like Homebrew and pacstall unironically so …

Thank you for mentioning this! Unfortunately a quick search on the internet didn't yield any pointers. Would you mind elaborating upon the security problems of Homebrew(/Linuxbrew)? Thanks in advance 😊!

My number one enemy (like most) is Google. I have been completely Google free for 1-2 years now (with the exception of YouTube on iOS, as the alternatives ultimately require a Mac to install, which I don’t have), but I haven’t used Google as a search engine in over 4 years. Besides trying to give as little information as possible

...

I also try to give as little information to other companies (Microsoft, etc.) as I can. Now, certain authorities have the permission to request data from companies, not just privacy disrespecting ones. That means that part of my threat model entails certain defenses against such agencies, to make it hard enough to correlate that data with my person. I don’t go overboard, in case anyone is worried. I’ve seen the bondage between paranoia and privacy, and I’ve set myself clear boundaries I won’t cross. So, my main goal is to protect against companies trying to collect my data (bleh, how cliche), but it doesn’t hurt to put in place some decent practices in case the world turns for the worst. I am protecting against attacks from the government towards low hanging fruit, but when it comes to large corporations, I don’t play nice.

Thank you for the elaborate clarification! But, perhaps I have to clarify as well; with "be protected from attacks targeted towards low(er) hanging fruit”, I actually meant any mass-surveillance, data collection and plain attacks from governments, corporations and adversaries that don't qualify as a (more sophisticated) targeted attack.

SecureBlue (Soon!)

Great pick! 🤣

ProtonVPN on all devices 24/7 except when using Tor (for speed)

I don't know the complete specifics of your threat model, but if you haven't yet, then perhaps it's worth reviewing what Privacy Guides has to say on this. Note, I don't necessarily view them as the de facto authority, but more often than not, their views hold more truth than falsehood.

or large downloads/torrents

Vaild reason to (momentarily) not use Tor, but please consider to review Proton VPN on port forwarding in hopes of alleviating the issue of speed without foregoing the VPN connection.

(may look into Mullvad VPN)

Unfortunately, at least for torrents, you're no longer able to rely on Mullvad VPN.

Firefox for streaming some videos that require a specific DNS configuration (Soon looking into how to put an extreme sandbox on it)

Easiest (and also one of the best options) is probably the use of a VM 😅.

ProtonMail + Anonaddy, use disposable emails for accounts that “don’t matter”

FWIW, since SimpleLogin has been acquired by Proton, there is merit in forsaking Anonaddy for SimpleLogin if decreasing the amount of trusted parties is desired. However, this comes at the cost at moving more into the the direction of putting all your eggs in one basket. So, ultimately, it's your choice to make.

Very, very strong and unique passwords + 2FA/FIDO for everything applicable

I hope an offline password manager is involved to some capacity. FWIW, if you're not doing it yet, you can always uniquely 'salt' every password.

Signal as my main messenger (to help bridge the gap for my friends) until GrapheneOS, then SimpleX (Please take a look at https://privacyspreadsheet.com/messaging-apps !)

I like that SimpleX is less platform-dependent. But it has been hard to let go of Briar. Do you happen to know how they currently fare against each other in security/privacy features (beyond what's found on the linked spreadsheet)? FWIW, IT security expert Mike Kuketz' review of SimpleX wasn't quite raving. Which is in clear contrast to his review on Briar. Of course, substantial time has passed since, but his 'non-approval' is something what's bothering me.

Bitwarden as my password manager until GrapheneOS, then KeePass

Ah, we've found the password manager, KeePass (be it DX/XC) is indeed excellent.

so idk why but apparently silverblue and bazzite are very difficult to dual boot. I feel like I’ve tried everything the internet has to offer.

https://lemmy.ml/comment/6941765

I really don’t know. I’ve been using Ubuntu for so damn long now that it’s just comfortable to work with. I know all the dpkg and apt commands by heart and I know where to find everything when I need to really customize my system. Plus they have great support for 3rd party drivers for things like NVidia which is great. But, I’m really wary about the whole telemetry thing and sending package and usage data to Canonical. Plus, they’ve been pushing snaps pretty hard to a point that they sneak snap packages instead of installing the actual deb package when using apt. I don’t like being forced into using things like that without my express consent. So, yeah I’ve been thinking of switching.

Thanks for the excellent elaboration! It's almost sad to see how the great have fallen... And I'd have to agree with most of your thoughts. Ultimately, it's your choice to make. But if I'd have to share my two cents, then I would say:

• Even if you're positive on departing from Ubuntu, you don't have to forsake it for something entirely different; which is where I would put any non-Debian-based distro (which includes EndeavourOS).
• There are a lot of distros that are based on either Debian or Ubuntu which should be able to remind you of the good ol' Ubuntu. Besides Elementary OS and Pop!_OS, there are other popular picks like Linux Mint and Zorin OS. And we haven't even mentioned the likes of KDE Neon, MX Linux, Rhino Linux, SparkyLinux, SpiralLinux, Tuxedo OS, Vanilla OS etc or heck, just plain ol' Debian itself. I think as long as it's Debian/Ubuntu-based and your favourite Desktop Environment is well-supported, then it's at least a distro worth considering.

Thank you Jorge for chiming in!

KDE Neon is indeed an excellent distro if you like KDE Plasma. I would love to read your findings/evaluation on that 😉!

Yeah, I saw that you had shared the https://blue-build.org/ website a few days prior. But, to me at least, the "Introducing BlueBuild" blogpost seemed more like proper announcement/introduction compared to the default website. And has only been published since 2024-02-25, so only after your post 😉.

Computing practices (like installing packages from trusted maintainers and the deliberate use (through filling in passwords) for granting privileged access etc.) on Linux are different than on Windows. This already ensures that -simply by the virtue of using Linux as it's intended- a Linux user is protected from complete classes of attacks.

Furthermore, the average Linux user is a lot more computer savvy compared to the average Windows user. And I haven't even mentioned the focus on FOSS, the security benefits through obscurity etc.

Of course, Linux isn't impenetrable. In fact, one might argue that its security frameworks on desktop are lacking compared to macOS and perhaps even to Windows (S mode).

Nonetheless, Qubes OS (i.e. the worlds most secure desktop OS) heavily relies and utilizes Linux to do its bidding.

To conclude, there's a lot of nuance to secure computing on Linux. But as long as its user (i.e. the biggest attack vector) holds on to best practices, it should be more than safe. Unless..., you seek protection against sophisticated adversaries and their targeted attacks. At that point, I wouldn't trust any desktop OS besides Qubes OS anyways.

Was the restart due to annoying OS features (e.g. Windows used to restart immediately without asking, iOS restarts if your phone is locked and it’s night time, etc.)

Actually, I am not sure why it happened 😅. It was connected to the charger and I didn't do anything that would otherwise be a direct cause to the phone to shutting off. To be honest, I don't recall it ever happen before 😅. Kinda spooky... Or just technology being derpy at times 🤣.

No, I’m just blind :,) I found it now

Hahaha, glad to hear that you found it!

Edit: Here it is!

Thank you!

Until the Rexodus (by the way, I’m apparently the only one to call it that. Please, people, it’s such a good name!),

I'd argue that Rexxit is just plain better 😜.

I had simply kept current with every post on r/privacy. I had occasionally read a few old posts, but it was mostly just keeping an eye on what the community was posting about and reading the discussions to learn as much as possible. I have a few old screenshots, like from this post and this one, but besides that it was just miscellaneous posts.

Thank you for the answer! I started out following r/privacy diligently until I noticed that my threat model didn't quite align with some of the more common echo chambers found there. To be more elaborate; it seems as if I was more absolutist when security was concerned, while the community was more absolutist when privacy was concerned. To be fair, it's r/privacy, so it makes sense for it to be that way. Though I had hoped that security wasn't treated like a second-class citizen; at least that's how I felt*. Regardless, it seems that I've missed some gems along the way. Hopefully I will be able to catch up.

Thank you for the great reply! I think I will be paying more attention to c/privacy going forward. Btw, how is secureblue going?

Aight. Feel free to inform me whenever you stumble upon something on secureblue which you may have questions about.

I am aware that Homebrew has become the go-to solution for installing CLI applications on Bluefin. Which is exactly why I feel compelled to ask the question in my previous comment.

Btw, I don't really understand why you felt the need to share Jorge Castro's blog post on Homebrew? AFAIK it doesn't go over any security implications. Sharing the article would only make sense if Jorge Castro is regarded as some authority that's known to be non-conforming when security is concerned. While I haven't seen any security related major mishaps from him or the projects he works on, the search for the CLI-counterpart to Flatpak seemed to be primarily motivated by facilitating (what I'd refer to as) 'old habits'; which is exactly what Homebrew allows. It's worth noting that, during the aforementioned search process, they've made the deliberate choice to rely on Wolfi (which is known for upholding some excellent security standards) rather than Alpine (which -in all fairness- has also been utilized by Jorge for boxkit). IIRC, people working on uBlue and related projects have even contributed to upstream (read Distrobox) for patches related to Wolfi. So, there's reason to believe that the uBlue team takes security seriously enough to work, contribute and deliver on more secure alternatives as long as it doesn't come with a price to be paid by convenience. Which, in all fairness, is IMO exactly why Homebrew is used for in the first place (besides their recent utilization of technologies that have similarities to the 'uBlue-way' of doing things)...

Alright. Thank you for reporting back!

Uhmm..., so, the good thing is that it's reproducible, a bug report has already been issued for it and should (therefore) eventually get a fix in upstream. The bad news, however, is that you may experience the same issue on every other relatively bleeding edge distro until then... But, there are two ways around it:

1. Just reboot by shutting off 🤣.
2. Or..., switch to Nobara. Some users reported the bug to its maintainer and they've fixed the issue on Nobara since. It's conceivable that the fix may already be found on other distros as well, but it's definitely fixed on Nobara. Thankfully, Nobara is based on Fedora. So you shouldn't feel too far away from home ;).

This looks awesome, but it only works for Fedora based distros, right?

Currently, it's indeed only for Fedora based distros. But there already have been efforts to make it work with Vanilla OS. And I assume that similar endeavors might occur if other image-based distros are provided. I wonder if such efforts are in the works for blendOS (an atomic distro based on Arch).

I want to make my own Arch ISO, all I found are very complicated stuff.

I don't know what your exact use case or intended usage of it will be. But, perhaps, penguins-eggs is what you're looking for.

Fair, although didn’t GNOME Boxes have some sandboxing issues?

Could be; I simply don't know. Do you recall the exact issue?

I even dedicated a specific pen for it!

Is it something fancy?

On a related note, take a look at this

TIL. It's definitely neat. Thank you for that!

Once I get an Android phone, I will try out Briar (because I am obsessed with the idea). I personally reached out to SimpleX regarding the spreadsheet, and the response I received back outlined that SimpleX pads the encrypted messages both during transit and in cold storage, which they said a lot of other messengers don’t do. A comment on the original post for the spreadsheet mentions that the spreadsheet doesn’t outline which services route through Tor (which Briar does, of course). The spreadsheet is very thorough, and SimpleX is still a relatively young project, so I don’t have much I can say. I’ve tried using it on iOS, and my friend and I both agree it’s terrible to use sometimes due to lag and choppiness. I currently testflight the app, but still no change. Either way, if you want, you can use SimpleX’s built-in support chat if you want to reach out to the team yourself. They are very friendly and don’t talk like a CEO, but there can be delayed response.

Thanks for the elaborate answer!

One related note, KeePass on Tails is outdated for some reason. Have any idea why?

If I would have to guess, it's probably because its respective package found in the repos of Debian is outdated. As Tails is based on Debian, it makes sense for them to continue to rely on Debian's packages as is and only backport security updates. Unfortunately, most of the established distros that are known for taking security, privacy and anonymity very seriously (i.e. Kicksecure, Tails and Whonix) are based on Debian; known for being stable, hence older packages. The exception, Qubes OS, has Fedora 37 (which has gone EOL since last december) in dom0. Though, in Qubes OS' defense, dom0 is (by default) not directly exposed to the network. And in general is just really fortified; I can't imagine anyone but state level threat actors to get through that as long as one upholds best practices. Furthermore, the qubes are as modern as you'd want them to be. So, within those, the desired up to date packages can be acquired. Regardless, unsurprisingly, Qubes OS' approach is (simply) strictly superior over the others.

I have never once had a cellular provider, which to me has been the biggest privacy boost since burning Windows at the stake.

Very interesting! Is it what's elaborated upon in this video? If not, would you mind elaborating?

Librewolf has a nice build pipeline, I created a PR to just support replacing the malloc, that would be the easiest and best solution.

That's very neat! Hopefully it comes through!

Then fedora firefox and librewolf would allow that, only flathub firefox missing really. Replacing the malloc is a very unsupported case for flatpak though, as the apps should be OS-unspecific.

But even with the ability to replace malloc, isn't Firefox still vastly inferior compared to Chromium if security is desired? Or are they actually operating in close proximity of each other in terms of security features?

Chromium is just horrible to use.

Hard agree, except for PWAs; those at least work on Chromium-based browsers.

But honestly, it's just very unfortunate that the closest we have to an ungoogled, secure, private and anonymous web browser is particularly platform-locked; I'm indeed referring to Vanadium.

On the desktop side of things, it's just a mess; at least in my opinion*. I guess our best bet would be like running Tor Browser or Mullvad Browser in a disposable qube on Qubes OS 🤣. Furthermore, it would have to be connected through their respective network of choice; be it Tor network (and/)or VPN. And, ideally, without additional configuration changes to blend in as much as possible. Which comes down to foregoing your favorite extensions and even not maximizing the app window.

*sigh*, such a drag...

Preface: this is written with less care than I do usually. I was writing one of my usual replies, but my phone chose to restart while the text was being written in its browser.

No, sorry. Some Reddit/Lemmy commenter.

Np. FWIW, I'm using virt-manager anyways.

No, although invisible ink would be somewhat cool.

Definitely! Thanks for the inspiration!

Have any ideas for a “password pen”?

Unfortunately not. I have been completely reliant on KeePass* plus the aforementioned ('algorithmic') 'salt'. But I think a password card and/or invisible pen is definitely worth exploring for passwords I don't use daily. So, once again, thank you for mentioning those!

You can also thank whoever on privacy@lemmy.ml posted it (I wish there was a search box…)

Was that rhetorical 😅? I actually found the (presumably) original poster through the search capabilities found on Lemmy.

Yikes, any reason for that?

For a complete answer, let's go for a trip back in time. Qubes OS' alpha release happened in April of 2010. The Linux landscape was vastly different then to how it's today. But, regardless, out of all possible options, a distro would have to be chosen for dom0. And, while none of us has the capability to look into the future, the chosen distro still had to be future-proof (i.e. not be abandoned any time soon). The second criterion was that it should be close to upstream (i.e. not a distro with outdated packages and kernel) for the sake of hardware compatibility (the very same reason for which Linux Mint has recently launched its Edge release). And, on that note, be excellent in terms of hardware/device support. Out of the then prevalent distros, Fedora simply fit all criteria best; Fedora being the community-driven distro to industry giant Red Hat, definitely played a huge role. And, in retrospect, it's undeniable that picking Fedora was (and still is) a great decision. Honestly, I can't even think of a better pick... Which is (perhaps) better understood by answering the second question; namely: Why Fedora 37 and not Fedora 38 or Fedora 39? Both of which were already released, while Fedora 37 had just gone EOL release. For that, we need to understand that Qubes OS actually does allow the installation of select packages in dom0, even if it's regarded as a feature that only more advanced users should look into. As Qubes OS is (by default) a sensibly secure desktop OS, it only makes sense that they have to ensure that packages installed on dom0 are 100% safe and secure. But Qubes OS doesn't want to waste resources on checking the security integrity of a moving system (i.e. a non-stable/non-EOL release). Thus, by necessity, it has to resort to an EOL release for Fedora. Going back to them picking Fedora in the first place; if we add the criteria that user repositories are undesired and that security should be handled very seriously by the maintainers, then Fedora was and still is the distro to pick.

More backstory time! I have never used a cellular carrier, and only watched that video about a month ago (because it didn’t exist prior). The first part of my life was spent electronicless (because kids really shouldn’t have phones… look at me now mom, I’m talking to strangers on the internet by routing through a global censorship circumvention network!). The next part was spent somewhat disconnected, only had access to a non mainstream social media (it has since been merged with another one made by the same company, and became paid. Capitalism.) through WiFi + never went out much. I then finally had unrestricted access, but still never went out much. Then I started to go out much more, and the places I went to didn’t have WiFi. That, in turn, led me to take up network hacking as a hobby. I never managed to hack the network in question (WPA2-E).

Thank you so much for the elaborate answer!

Finally, I got my first job around the same time I learned about privacy. That meant I had the money to get a cell plan, but I had the knowledge to know why that was a bad idea.

I thought I was well integrated into the privacy communities. But it seems that I was wrong; for I was unaware of the specifics until Naomi's video. Would you mind sharing blogs/sites etc that you find exceptionally useful for finding out about these things?

It’s funny, my mother recently called me because she was stressing about trying to find me a carrier (apparently?) and started saying “Your sister offered to add you to her plan if-” and I told her “I don’t want a carrier, but thank you!” and she said “Oh… Well that solves that problem.” and looked very relieved.

Hehe, 🤣.

Edit: I guess your question is asking ultimately why I don’t want a carrier, and it is due to the points that were also brought up in that video, yes.

Thanks for the clarification!

Those are just Firefox. Using some other routing doesnt improve security.

Never said or implied they were. Security is achieved through

Tor Browser or Mullvad Browser in a disposable qube on Qubes OS

Tor and Mullvad are only for preferred for the sake of anonymity as every user runs the exact same config on the same type of network.

Vanadium might be degoogled and not send critical platform data, but it is not fingerprint resistant afaik.

Hmm, you might be right. TIL. Thank you! Somehow, I was having high expectations for it... *sigh*

On mobile, browsers cant really be that though.

Do you happen to know why that's the case?

On Desktop there only is ungoogled Chromium which is a beginning. But especially secureblue doesnt use it for some reason.

If I recall correctly, ungoogled-chromium has (at least in the past) been slacking on security. Don't know if that's still a thing though.

run on boot is easy if you run containers via systemd, if service is enabled it auto-starts on boot

TIL, thank you for that insight!

if disabled, than you start it manually.

That's the peculiar part; some of the containers I've had since I was on Silverblue, but back then they never autostarted on boot. Just (relatively) recently, since the rebase to Bluefin-dx, have I experienced that all of the containers -so even the ones that existed prior- autostart on boot.

Same for me, with the addition of me being a people-pleaser. I already have to select which voice I listen to, since there are hundreds of different ones contradicting each other.

Very commendable! I hope you can remain positive and optimistic. Unfortunately, I've stopped caring much for others' opinions. I hope I'm wrong; but to me most people that engage in these topics somehow lack knowledge, are not very intelligent or just plain ill-informed/ misinformed and obnoxiously oblivious for how wrong they are. This doesn't mean that others' opinions/views are de facto wrong, but I try (as hard as it sometimes is) to assess/evaluate ideas based on their respective merit(s) rather than how often they're voiced or how popular they are.

Fedora Atomic has matured heavily, and I think it is perfectly usable, both in terms of reliability and availability.

Absolutely. I find it hard to recommend other distros, unless something specific is sought after that's either very hard or plain impossible to materialize/accomplish on Fedora Atomic.

It’s just that it is quite different from other distros, especially when you want to install apps. For newcomers, just telling them to go into the software center and selecting the apps to install (via Flatpak) is perfectly enough. It only gets a bit more complicated when they want more and have to turn to the CLI (e.g. Distrobox).

Paradigm shift for sure. Curiously, I'd argue the average Android/iOS-user should be fine with only resorting to the software storefront. So in a sense, non-Windows/Linux users might have it easier on Fedora Atomic 😅. Simply for not having (false) preconceived notions on how something should work/function.

Thank you for the reply!

I’ve tried rebooting it like that.

And..., what's the result? Does the problem persist? Or is it resolved? (Under strict adherence to rebooting as described*)

Thank you for your elaborate reply 😜!

The guide is mainly meant for exact this kind of new users, who are perfectly fine with either Fedora or Mint. I excluded edge-cases, like QubesOS, completely on purpose, as this should be consisting of only 2 (or so) distros with different DEs. This should make 80% of exactly those post redundant. If someone wants a “non-normal” distro, they can still of course feel free to ask.

I agree that it makes sense to start with tackling the problem in a way compliant with the 80/20 rule; i.e. 20 percent of the work to deal with 80 percent of the cases. I'm perhaps too much of a (wannabe) perfectionist/tryhard, which is why the process described in my previous post was a lot more involved and (perhaps) therefore more utopian/idealist than realistic. Perhaps I've even alluded to this a couple of times 😅.

I thought about using Sozi as a tool to achieve that. I have to research tho how to make a website first. My idea was to keep the exact structure of the chart, but when you zoom in a lot to the distro, you get the description.

Great idea! FWIW, perhaps an interactive map with pop-ups may be utilized to that effect. Though, there's plenty to consider here and a lot of ways to do it justice. I trust in your capabilities to achieve that splendidly.

I see VanillaOS as a great competitor to Mint, especially for people who want something of a managed and simple experience, while also being capable to do normal PC stuff. I see VOS 2 as “stable” enough in just a few weeks, there’s mainly only some polishing and fixing in newer under-the-hood stuff, but the surface-stuff is already fine.

I haven't installed the beta of its Orchid release yet. So, hopefully my gut feeling is just wrong. Ironically, the first time I installed a relatively immature version of an atomic distro (Fedora Kinoite, but like its first release (so Fedora 35 at the time)), it was a very bad experience and I rebased right away to Silverblue and haven't look back since 🤣. Hopefully others will not be stung by VOS 2, like how I was stung by Kinoite.

It’s mainly about preference, if one likes a simple UI or prefers traditional workflows. How can I make that more clear?

By not naming any of the associated operating systems, but instead opt to distill their respective workflows in plain text. I'm very aware that this is pretty hard without spending way too many words on their descriptions. Therefore, perhaps it's worth exploring if the 'intended workflows' of the different DEs might be (screen) captured and displayed as gifs. Obviously with the caveat that the 'intended' isn't forced upon them and that they're free to change them to better suit their needs.

Yeah know that deleting post fun. Jerboah is very good at recovering them.

TIL about Jerboa. Thank you!

If you use your GPU that model is fingerprintable through WebGL stuff. There is a firefox addon that spoofs random values though. Same for screen size.

IIRC, so-called 'naive scripts' will indeed be spoofed. However, it has been shown at great length that JavaScript is not even required to to acquire screen size in the first place. Furthermore, methods that rely on badness enumeration are deemed inferior.

Secureblue does not implement privacy over security, but if patches make a browser stay just as securely I think that would be fine.

That would require someone to put effort into showing that ungoogled-chromium is at least as secure as Chromium. Is that even established in the first place?

The thing is, for example we had some arguments about manifest v2 extensions (which can download stuff they then use, i.e. no control by Google and thus “less secure”). If Chromium does things like Connect to Google for security stuff like Safe Browsing, this will totally not be removed.

Perhaps the desire to minimize attack surface is what's been decisive.

Secureblue is not GrapheneOS too. It is just a (huge) compilation of patches and patched images. Basically every Desktop with Wayland support, currently 86 (!!!) images.

Surely, it would take a lot more effort to get it to GrapheneOS levels. However, I don't find any fault with the desire to be inspired from GrapheneOS' methods and implementations.

Thank you for reporting back 😊!

Thanks for the conversation! 😊

Yeah for sure the not-badness-enumeration approach would be to not use the GPU and set a defined screen size and pixel density.

Hopefully one day.

ungoogled chromium is likely less secure, no 1 is to have regular updates.

Agreed.

With CI/CD those patches should be applied automatically. Would be a cool project but not for me, I prefer Firefox.

Hehe, fair.