What is your desktop OS?

custardbomb

DeletedUser628 it's something I want to look into, as though I'd be keen to adapt SecureBlue or Qubes; family and work commitments mean my time is very limited. Zorin represents a quick way to ditch Windows without a learning curve. I'm so accustomed to things just working in Windows. Though I'm accustomed with diagnostics and windows terminal, I'm less familiar with Linux, though even Zorin has forced me to start the journey and pick up some terminal commands. Zorins endeavor to produce a distro that just works is admirable, notably that appears to be it's biggest draw to new users.

custardbomb

DeletedUser628

custardbomb Yes, Zorin rarely requires Terminal use and retains Windows features that are oddly lacking on other Linux distros. It's very easy to use.

Mikeg

DeletedUser628 It is my go to distro for elderly who are very computer illiterate, used to Windows and get infected with malware all the time. Hasn’t failed to improve their experience once.

DeletedUser628

Mikeg That being said, it's probably blasphemous, but I like Windows. Zorin so far has been a decent replacement.

Mikeg

DeletedUser628 I worked in IT for 30 years and supported Windows from NT onward to 10 before I retired. I ran some Unix/Linux servers along the way and played with a lot of Linux distros for desktop for myself. I also had to support a Mac environment as well. I remember installing the first ZorinOS Lite when it came out on an extremely old laptop and was very impressed with how it allowed me to repurpose that piece of dormant hardware. Kept up with the project and watched it steadily grow. They did a decent job trying to capitalize on the Windows 10 end of support cycle to increase their base with their latest release. I still have two W11 desktops at home along with a vsphere host and two rpi zero 2W ‘s that I use for docker containers hosting pi-hole, vaultwarden, etc. Each OS has its own pros and cons. Experimentation is how I ended up with GOS. It is fun to learn.

DeletedUser628

Mikeg For sure! My only real issue with GrapheneOS is some trouble receiving group texts, but only from certain people... a couple of iPhone users.

Mikeg

DeletedUser628 I think that boils down to specific carrier issues unfortunately. I have zero issues using Verizon in the US other than the apple/Android compatibility issues with RCS. Wouldn’t it be nice if there was just one RCS implementation standard across all devices, carriers and networks. One can dream!

ryrona

ryrona You know what is even better? You have to pay for an Enterprise license to even be allowed to disable the spying, or enable actually secure disk encryption modes, and in both cases you still need to change group policies to do so. If you are cheap and only pay for a Home license, they will even upload a copy of your disk encryption key to a Microsoft server for safe keeping. And yes, they admit all this is their documentation :)

Oggyo [Windows related]

Microsoft is giving BitLocker keys to law enforcement.

Totally predictable outcome.

Linux

custardbomb Why isn't OpenBSD/FreeBSD offered as an alternative OS; it's my understanding these are more secure than Secureblue.

How is the availability status of software for BSD?

I don't want to shit on it in any way but at least Linux is somewhere on the radar of normal people and organizations but 95% of people probably don't even know that BSD exists, cause its not even listed in any desktop usage statistic.

Sinai

Seeking feedback on my hardened Fedora 43 + GrapheneOS tether setup

I have built a privacy/security-focused setup and would appreciate honest ratings and constructive feedback from the community.

Laptop

Fedora Workstation 43 (GNOME, traditional mutable install)
firewalld DROP zone as default/active on all interfaces (USB tether enp0s20f0u4 + ProtonVPN tunnels proton0/pvpnksintrf1)
No services or ports allowed in DROP zone; echo-request blocked
SELinux enforcing
Debloated (unnecessary packages removed)
Masked unused daemons (colord, bolt, wsdd via gsettings + systemctl mask)
Full-tunnel ProtonVPN (app, Advanced kill-switch enabled, split-tunneling disabled)
No external listening sockets (ss -tulnwp shows loopback only)
Manual security updates
Browser: Firefox + uBlock Origin, Decentraleyes, Resist Fingerprinting, Strict ETP

Phone (tether source)

Pixel 7a running latest GrapheneOS
USB-C tether to laptop
No Google services, strict permissions, sensors/camera/mic disabled, secondary profile usage
Anonymous prepaid SIM (not tied to name)

Threat model:

Maximum network stealth/invisibility on public Wi-Fi (cafés, hotels, Airbnb in Thailand)
Protection against dodgy links and employer-style snooping attempts
Avoiding carrier metadata correlation via SIM/IMEI
General privacy (past experience with workplace visibility via Google Workspace)

Deliberate choices:

Not using secureblue (immutable Fedora Atomic) — previous trials caused functionality/speed loss
Not upgrading to newer Pixel (7a still receives full GrapheneOS support until ₂₀₂₈; MTE hardware gain feels marginal for my risks)

Questions:

On a scale of 1–10, how would you rate the overall security/privacy/stealth of this setup?
Are there any obvious gaps or low-effort improvements that would meaningfully increase protection?
Is the decision to stay with mutable Fedora + Pixel 7a reasonable given my priorities?
Should I switch to secure blue?

Thank you for your time and expertise.

eyphzlm

Sinai

For your laptop setup my rating is 0 / 10.

Too much flaws in your approach

Using fedora is good because its based on rhel based system selinux has first class support. The first mistake you made is installing gnome its very resource intensive and also gnome mainly uses gtk if you really want hardened system avoid gtk if possible
disabling all open ports is not alone enough you need to improve network security by sysctl hardening.
selinux enforcing -> by default fedora enables selinux now a days but the main concern is your user is unconfined which means there is no restrictions if a malacious package infected your system it can do anything with full privileges. By default fedora only confines handful of services with selinux so the selinux enforcing here won't provide you secure environment at all only very minimal security only also that minimal security is also a question mark because its all depending on the policies.
when you installed gnome its no use even if you debloat your system
using this "Firefox + uBlock Origin, Decentraleyes, Resist Fingerprinting, Strict ETP" you really stand outs from other users even if you change vpn to different server or even use tor its not going to provide you any benefits at all they are clearly going to identify you.
Never use firefox you can use firefox based browser but no the firefox you may harden it with arkenfox user.js settings but it won't be enough many times even when applying arkenfox user.js i went to about:config and tweak many settings to harden further. My number choice for browser is mullvad browser.
Use this browser stack: Mullvad Browser + Ublock Origin + NoScript that's it no need for other extension like Decentraleyes, Resist Fingerprinting, Strict ETP installing these makes your browser more unique.
In your setup there is No Hardened Kernel, No Sysctl Hardening, No Hardened Malloc, No minimal desktop environment, No BadHosts Block, and Many More.

Read this below article its maybe 4 years old but its still relevant also don't just implement all of these hardening from this madaidans guide there is possibility of breaking your system if you are experience no problem but for inexperienced person its not recommended even if you are not going to follow this atleast read this so you can gain knowledge how much you need to harden your system. Don't think that hardening system for average user daily needs is hard its not hard at all you can harden your system in less than 1.5 hrs to make it harden like secureblue.

https://madaidans-insecurities.github.io/guides/linux-hardening.html

brev

eyphzlm

0/10? Really? Needlessly harsh IMO

User can install Trivalent on Fedora Workstation as a maximally secure alternative to your convoluted Mullvad alternative.

Installing GNOME a "mistake"? Why does secureblue use GNOME by default? No mention of simply not using electron apps or xwayland.

Never use firefox > you can use firefox based browser -- what are you on about?

For the user's stated threat model, that laptop setup is perfectly fine. Not "ideal", but fine.

DeletedUser771

DeletedUser588 That's Steam. I'm talking about native support for the games themselves, not Steam.

inffy

For the past few years I have been running our own built image based on the universal-blue project - Aurora.

gamma7

I use secureblue but I'm not sure about it. Most of the games on Lutris don't work, and some apps break all the time (e.g. Tenacity crashing on playing sound, Dolphin emulator not starting up at all, etc.). Makes me wanna switch to Fedora Kinoite or Windows 10 LTSC but I'm also unsure about missing out on more security (compared to other distros) and privacy of Secureblue.

shapirus

no rpm based for me since about 2000 for obvious reasons.

no more ubuntu since recently because of all these snap packages and corporate bs shoved down our throats. debian... still ok, been using it since about 2003, but considering finally switching to arch or its freeer fork, artix, because of the dei and other bs in most current distros.

Elgoog

brev User can install Trivalent on Fedora Workstation
How?

brev

Elgoog

On Fedora Workstation:

in /tmp, curl or wget the .repo file from https://repo.secureblue.dev/secureblue.repo
dnf config-manager addrepo --from-repofile=/tmp/secureblue.repo
sudo dnf install trivalent

On Fedora Atomic (Silverblue/Serica/theKDEone)

curl/wget the repo to /etc/yum.repos.d/
rpm-ostree install trivalent

sorted :)

note: this is unsupported by the secureblue team, but I've been using it alongside vanilla chrome (for my precious bitwarden browser extension) and it works a treat.

r134a

Elgoog By adding their repo first: https://github.com/secureblue/Trivalent

Unsupported installation is also possible via our repo

I could be wrong in the following, but note that u'll probably lose some of it's hardening efficiency by installing it anywhere other than secureblue, as it probably partially relies on hardenings done at 'os-level' like hardened malloc.

Edit: @brev was faster and more detailed :)

brev

r134a yeah you won't have hardened_malloc and the other secureblue improvements on vanilla Fedora.

I need to switch to secureblue but I need to read more deeply on the implementation before jumping over again; had issues with my Thunderbolt dock/other useability that is a non-negotiable for me.

My threat model is pretty casual so Workstation and Silverblue depending on the laptop I'm using are fine for me at the moment.

« Previous Page Next Page »