Thank you for chiming in and providing your thoughts!
While we're at it, I absolutely appreciate your work. Wonderful stuff! Thank you from the bottom of my heart!
UKI is something we very much want to do in the future, but it’s a long-term goal
That's lovely to hear!
As far as replacing the init system, I think even in traditional Fedora that would be extremely challenging, but it could probably be done as a custom image.
Aight. I'll change the list then. Thank you for enlightening me on this. The feasibility as a custom image is really encouraging; perhaps I'll give it a go 😜.
Bazzite seemed much closer to being truely immutable
If you meant that it's even harder to tinker/change/configure etc compared to SteamOS, then I'd like to inform you that this is false. Fedora Atomic, and thus Bazzite, facilitates quite a lot actually. Of course, it's not as moldable as say Arch or Gentoo. To illustrate this, I won't bother you with all the things it can do. Because that would take a while. Instead, I'll only focus on the things it actually can not do. On the top of my head, the following comes to mind:
Rip systemd out and replace it with another init, but I'm unaware if traditional Fedora even facilitates this to begin with.Bazzite's founder came by and corrected me on this. Even this is probably possible as a custom image.- UKI
- Setup systemd-boot (or any other bootloader) instead of GRUB
- Kmods can be hit or miss; what's found here is accessible. What remains can be very finicky.
- 3rd party repositories can be hit or miss; for example, both Terra and Tailscale work, but e.g. ProtonVPN may not.
Intially looked at Bazzite, which seemed great other than I wasn’t a fan of it immutability, I’ve had to remove the read-only property from my steam deck a few times.
Fwiw, Bazzite handles its 'immutability' vastly different.
Ah, I get what you mean now by inflammatory statements
Actually, it wasn't me that said that 😅. I do find it in jrgd's reply, though.
Though interestingly, I didn’t feel my comment was very inflammatory and it got downvoted too. 😅
For the record, I also didn't downvote your comment 😜. Though, looking at how well-received my previous reply has been, I can't ignore the possibility that peeps that agreed with what I said also chose to downvote your comment.
I was looking at it more from just a standpoint of systemd itself
Sorry, I don't think I completely understood you here.
just looking at it from the standpoint that fedora and rhel can tend to be industry leaders for change.
I absolutely agree with you that Fedora and Red Hat are very effective agents of change. So yes, if they would get behind an alternative for systemd, then that would definitely get traction.
if RHEL and Ubuntu together made
Has something like this ever happened in the past? I can't recollect a collaboration of sorts between these two entities. If anything, they seem to be at odds with eachother: Mir vs Wayland, Snap vs Flatpak and even Upstart vs systemd. Though, at least so far, Red Hat holds an impressive winning track record.
I think we would see that move downstream.
Absolutely. But, and this is my inner-systemd-skeptic talking, systemd is ridiculously intertwined with the current Linux landscape and often times new updates even show a glimpse of how much more intermingling we'll get in the future. I hope we'll eventually get something to systemd like what PipeWire has been to PulseAudio. That's why development into alternatives like dinit and s6 is of utmost importance.
As far as my use of the term bloated, I’m looking at it strictly from a standpoint for the amount of code that goes into the system.
Suckless it is 😜. It's a fine definition. Thank you for that. But, I got to ask, where is the line drawn? Like, the Linux kernel, by virtue of being monolithic, has to be bloated as well. Right? So, if that's the case, is somehow the kernel's bloat okay while bloat is unaccepted for the system and service manager? If so, why? I'm genuinely curious.
The more code you have, the more entries for security risks.
Sure~ish. Deep discussion. I'm fine with giving this to ya.
I’m not saying that there’s anything that’s particularly better out there right now
I suppose some peeps will enjoy themselves with what's out there. Do you happen to use an alternative on a daily-basis?
but I think we should always be looking for alternatives regardless of what your views are for the people that created the code. KISS philosophy, basically. That and being open to change to avoid stagnation.
Wholeheartedly agree 😊.
Aight, got it.
For now, I'm exclusively on Wayland. Though, hopefully Openbox (or something inspired by it) will make the jump so that I can see for myself what all this goodness is about.
Anyhow, it was a lovely conversation. I enjoyed it to bits. I wish ya tha best. Cya, out there. Bye!
Do you have a link for these instructions?
In addition to the template linked by dustyData, there's also BlueBuild if you prefer YAML over containerfiles.
Very enlightening! Thank you so much!
mouse-centric
This is actually unfortunate for me. I seem to be prone to RSI related aches. Keyboard is fine~ish. But mouse can be pretty troublesome. Do you happen to know if it plays nice with trackballs and/or trackpads?
Thanks for sharing.
Thanks for the appreciation!
Our goal is to continue the legacy of Mull by providing a free and open source, privacy and security-oriented web browser for daily use.
Do you work on IronFox?
I didn't downvote myself, but did consider it.
For one, it felt a bit out of place; Fedora isn't defined by systemd, nor Red Hat or IBM. One clear example would be how Fedora has chosen to stick with Btrfs; contrary to Red Hat's demands. Don't get me wrong, I don't deny any partnership or whatsoever. But it's not like Fedora's community has no agency.
Secondly, corsicanguppy's comment seems to imply that Fedora only sticks to systemd out of some obligation towards IBM/RedHat or something. As if the overwhelming majority of distros don't default to systemd.
Thirdly, Poettering works for M$ now. Sure. But systemd remains a Linux project. And quite a good one at that. Even if the likes of dinit and s6 are starting to offer some healthy competition, it's undeniable that systemd continues to have the advantage in terms of received man-hours (in development) and adoption. I hope that Fedora eventually gives others the chance to shine. But outright ditching systemd without a perfect replacement is just foolish.
Systemd is bloated
The bloat argument has absolutely no weight as long it's not properly defined. One's bloat is the other's sane default and vice versa. Please, if you're engaging in good faith, come up with a definition by which the likes of dinit and/or s6 are not bloated while systemd is. Please be complete and rigorous in your assessment.
and known to present security risks.
If you're referring to what's addressed in Madaidan's article, you should not forget that Whonix -the very distro Madaidan used to be a security researcher at- employed systemd to enhance security. And while one might say a lot about Poettering, one simply can't deny that they've got a sound understanding of good security standards and how to implement them. It's therefore unsurprising that both Kicksecure and secureblue (i.e. Linux' finest when it comes to hardened distros) heavily rely on systemd for their bidding.
Don’t see why looking at alternatives wouldn’t be seen as positive growth.
At least we can agree on this 😉.
Phoenix is a suite of configurations & advanced modifications for Mozilla Firefox, designed to put the user first - with a focus on privacy, security, freedom, & usability. - GitHub - cele...
Disclaimer: I'm not affiliated to the project.
Aside from the fact that it's relatively new and unknown, does this hold a candle to other Firefox-based projects? They seem to be competent by their own comparison tables.
Has anyone got any first-hand experience?
Yeah, it seems that they even acknowledge that Tor and Mullvad are better for extreme threat models.
"The only browsers that can provide sophisticated fingerprinting protection against advanced scripts are Tor Browser & Mullvad Browser.
If you have an extreme threat model (Ex. Political dissident, journalist, or if you are in some other kind of high risk situation), please use one of those browsers."
I suppose we'd have to commend them for being fair.
Unfortunately, I've yet to experience Qubes OS myself. So I can't help you with that. Wish ya the best of luck though!
Phoenix is a suite of configurations & advanced modifications for Mozilla Firefox, designed to put the user first - with a focus on privacy, security, freedom, & usability. - GitHub - cele...
Disclaimer: I'm not affiliated to the project.
Aside from the fact that it's relatively new and unknown, does this hold a candle to other Firefox-based projects? They seem to be competent by their own comparison tables.
Has anyone got any first-hand experience?
I hope at least the earlier problems with distrobox have been solved.
Is your intention to go in the direction of Qubes OS with extra steps?
Yo OP, did it work out in the end?
Thanks a ton for the elaborate answer!
I’ve moved to cachy OS mainly because I needed to get certain things working that were only packaged in appimage
Hmm..., I'm aware that the AppImage situation is pretty dire since it requires FUSE 2 libs while everyone and their grandmothers have moved to FUSE 3; software that's been almost out for a decade now. Thankfully, I've never actually experienced trouble getting it to work on any distro. Sure, installing some libs was often required, but nothing too fancy.
BUT I believe I could have worked it out in Aeon by fiddling around with distrobox
FWIW, I'm 100% positive that you could get it to work on Aeon. IIRC, I've also used AppImages through distrobox containers.
I think once there is a mature wayland-based Openbox replacement
Interesting. If it isn't too much of a trouble, could you pitch Openbox :P for me? I'm not too familiar with it, but you did get me curious.
(eyes on labwc)
Put into my backlog of stuff I've got to checkout.
I was hoping that this reply wasn't needed 😅. In all fairness, some of the replies found on ycombinator definitely offer legitimate criticism. However, secureblue's dev team didn't just ignore all of that as they can be found discussing on the very same thread. Since then, they've actually implemented changes addressing these concerns. For example:
Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege. And flatpak is a lot of attack surface no matter how you run it, and the packages have a bad security reputation.
This was raised as a good objection to some of its design choices. This eventually lead secureblue's dev team to maintain twice as many images for the sake of offering images in which this was handled differently. And it didn't stop there, it has continued to output a lot of work addressing concerns both found on that thread and outside of it. Consider looking into its commit history. Heck, even some of the GrapheneOS-people have provided feedback on the project.
Of course, no one dares to claim it comes close to Qubes OS' security model. Nor is this within scope of the project. However, apart from that, I fail to name anything that's better. Kicksecure is cool, but they've deprecated Hardened Malloc; a security feature found on GrapheneOS and that has been heavily inspired by OpenBSD's malloc design. By contrast, secureblue hasn't abandoned it. Heck, it elevated its use by allowing it to be used with Flatpak; something that hasn't been done on any other distro yet. This is just one example in which the secureblue dev team and its various contributors have shown to be very competent when it comes to implementing changes that improve security beyond trivial checkboxes.
Peeps may name other hardening projects. But fact of the matter is that I'm unaware of another hardened Linux project that's quite as feature-rich:
- Tails; cool project that does wonderful work against protecting one against forensics. But that's literally it. It's not even meant as a daily driver.
- Whonix; developed somewhat together with Kicksecure, so this one actually has put in substantial work into hardening. But, again, not meant to be used as a daily driver.
- Nix-mineral; cool project, but it's still alpha software by its own admission.
- Spectrum OS; great idea, but it's not even out yet.
Please feel free to inform me if I've forgotten anything. So, basically, if you want a hardened daily driver for general computing, then one simply has to choose between Kicksecure and secureblue. I wish for both projects to flourish, but I've stuck with the latter for now.
Do you run Steam inside gamescope as well ?
Nope I don't. But that's because running Steam isn't really a thing for me to begin with. I don't own my games through Steam aside from a couple that are only accessible through it. Whenever I need to play those, I access those through another system; be it another distro or (God forbid) M$. For the games I've played on secureblue, none of them were owned through Steam. Hence, running Steam inside gamescope has not been something I had to do yet. Unsure, if it even works as supposed.
Does your setup support casks ?
I actually don't know. It probably doesn't, though.
That was a great read. Wonderfully detailed. Thank you!
It's a pity that it went down like that. Would you say that a properly matured openSUSE Kalpa would be your perfect setup? Out of curiosity, have you used projects related to Fedora Atomic for long periods of time? If so, how would you compare them?
I put it on my partners computer after Aeon crapped itself and put the system in a boot loop until I switched the hard disk out.
It is only release candidate software. As such, I didn't have high expectations. However what you've described here is pretty troublesome. And I'd imagine your partner didn't do crazy stuff that would justify such a reaction by the OS.
I'm personally very interested in the future of openSUSE Aeon. So far, I've mostly seen positive reactions. Therefore, a negative experience as such really piques my interest. If possible, could you elaborate upon what had transpired before the system broke? Or perhaps your partners personal experience with the distro in hindsight.
Try invoking ujust distrobox-assemble
first. This command is also found on the FAQ page. Enter the container created through this method.
FYI, the userns images have been (or are about to be) deprecated.
Hey folks! After using Fedora Atomic for quite a while and really appreciating its approach, I've been eyeing one particular feature from NixOS: its congruent system management. Inspired from Graham Christensen's "Erase your darlings" post, I'd like to explore implementing something similar to NixOS' impermanence module on Fedora Atomic as one step towards better state management.
Why not just switch to NixOS? Well, while NixOS's package management and declarative approach are incredible, I specifically value Fedora's stringent package vetting and security practices. The nixpkgs repository, despite its impressive scope, operates more like a user repository in terms of security standards.
I've already made some progress with the following:
- Fedora Atomic's shift to bootable OCI containers has helped with base system reproducibility when one creates their own images. This process has thankfully been streamlined by templates offered by either uBlue or BlueBuild
- Using chezmoi for dotfiles (would've loved home-manager if it played nicer with SELinux)
My current (most likely naive and perhaps even wrong) approach involves tmpfs mounts and bind mounts to /persist, along with systemd-tmpfiles. I'm well aware this won't give me the declarative goodness of NixOS, nor will it make the system truly stateless - there's surely plenty of state I'm missing - but I'm hoping it might be another step in the right direction.
Particularly interested in:
- Best practices for managing persistent vs temporary state
- Working with
rpm-ostree
's (orbootc
') assumptions - Tools or scripts that might help
- Alternative approaches that achieve similar goals
Thanks in advance!