Privacy & Security of Graphene vs LInux?

User2288 I'm a new comer to linux and my attempts at improving linux security and educating myself on it have been heavily stonewalled either by a lack of good source of information (too many pages with no good answers) or heavily technical documents and having to do everything in command line (ridiculous IMO), which are beyond reasonable expectation for the average person to delve into. FYI, I know some programming and scripting (programming student), and generally am computer savy. Yet even for me its like... forget it. I can't be bothered to read a multi-day long book just to be able to use SE-linux or app-armor in command line.

What's SE-linux on fedora like? I dont know! And that's the problem. There is like no easy to find explanation that one can read to learn about the exact implications of its presence. What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me.

The lack of a good documentation (which, for me, includes easy to find bits of information) was why I committed myself to Arch. It took quite some time to configure it, install all the stuff that I needed and so on, but whenever I felt lost (frankly, I believe that's part of the Arch experience) I found answers in their wiki. It explains enough to make an educated decision or at least gives me enough buzz words to find what I need to know. Mostly.

The dark side is that I as a user have to be the sys admin, too. Boot Parameters, DAC/MAC, iptables, WMs, compositor ... Nightmares. Still gives me the creeps when I think back.

However, whenever I use a different OS, I feel like playing a racing game instead of driving a real car. It's easier and more fun, but it's also only half of the real experience. I do not mean this in any way demeaning, in fact, I would love to be able to appreciate an OS with a lot less need to take care of, but I just can't anymore. In my experience, once you dig deep enough and start to understand, you feel the good part of having full control over your machine. And with great power come great responsibilities and that's usually the point when I start to ask myself if it's worth it but I always come back.

Linux might be a lot less secure than macOS or even windows, but at least I have the means to change that. Unfortunately, I also have to do it, at least some basic stuff, to get a modestly secure setup.

Still have no clue how to configure AppArmor properly without running into issues, though. Also, reading about how demanding it can be to configure SELinux, I simply do not see that on the horizon for me in the foreseeable future.

matchboxbananasynergy It's fine if people want to use desktop Linux distributions (I use one, too)

What distro are you using :)

User2288 [...] But building arch is not practical for people getting into linux [...]

Au contraire mon frère. In fact, you'll probably learn a lot more than you would otherwise. I mean, yeah, Arch kind of shoves it down your throat and starting with only a bare minimum system is also very frustrating and you feel like left out in the rain without a GUI. But taking it step by step, following the wiki closely, you'll learn what you're doing, why you're doing it and what you can do when you run into errors. When you're done you know your system. I found that to be very comforting at times.

But in the end it's important that you can use you computer for the task that you need it for without struggling with its configuration and all the other stuff. I used Gentoo once and I was mostly busy reading compile error logs and waiting for the compiler. Never looked back.

User2288

There are a few exceptions where data might be recoverable from an SSD after TRIM is issued, but these would require highly specialized and costly techniques, and even then, success would not be guaranteed. These scenarios could include situations where TRIM was not correctly implemented by the drive manufacturer, or where the drive's firmware does not correctly process the TRIM command.

If your life depends on it dont blindly trust TRIM. The foolproof solution is to encrypt your data (for example in a seperate profile in GOS) and delete they encryption keys (delete the profile) to make sth unrecoverable.

That said TRIM is the best we have in a flash storage to make deleted data hard to recover. Some SSDs offer an Option to securly erease all blocks but that will wipe the whole drive

User2288

In Windows there is a system executable called WinSAT.

Ah, that's handy. If it does it properly with integrity guarantees, that's something I'd like to see on Linux.

I feel command-line/terminal is not a problem for most people. ... Having a booklet of commands by your side to have to lookup on, left, right, and center, is also impractical and unacceptable.

I don't expect most people to use a terminal for day-to-day usage, but I find it comfortable. Then again, I'm a GNOME or Sway user depending on the month, so I wouldn't say my tastes are easy to pin down.

For commands you run semi-regularly, it's worthwhile creating an alias in your ~/.bashrc file. I use several aliases for yt-dlp, mounting SAMBA shares, and WINE prefixes, and a few miscellaneous commands.

This is definitely something you expect with the Arch experience. I'm not very familiar with other distributions, as I've only used Ubuntu on a desktop for a month, but I don't know what

Each is good in something, but bad in another (from a semi advanced user's beginner experience in linux).

The only major differences between most distributions are the package manger/method for installing software, the versions of software they offer, and the software/configurations it ships with by default. Arch sets up and installs nothing beyond the bare essentials by default, while Fedora sets up almost everything it legally can. Arch uses pacman; Fedora uses dnf (but integrates with GNOME Software to install most software, so you don't have to use the command line).

While it's certainly possible to setup SELinux on Arch yourself, as you've heard from two Arch users in this thread, it's only an option for the most dedicated. Most everything else, though, is not difficult to setup on any distribution. Most of the software on distributions is from a third party, like GNOME, or X.org, or Freedesktop, or Red Hat, or Mozilla—not the distribution itself. So these software will be consistent across distributions, and you can install and set them up on any distribution. It's in the name—distribution. It's a distribution of disparate software from all of these different parties with configurations they think users will like. Linux itself was only made useful by GNU utilities like bash and glibc back in 1991.

Flatpak is something of an equalizer which will close some of the gaps between distributions, because you can have the latest userland software on any distribution, whether it's Debian or Arch, with Flatpak. It's only really designed for GUI applications, though, and not system software. So, the gap between distributions is not as large as you think, and not usually in ways that matter. We could have kept having this conversation about Linux, and I could have never brought up that I use Arch, because it matters little what distribution you use if you plan to have the same setup.

Now, for distributions that are really different, you have GuixSD, Nix, and Gentoo. These distributions are a whole different paradigm in many ways. Gentoo, for example, is a source-based distribution where you can compile everything for maximum control. One of their most attractive qualities is having the ability to install multiple versions of some software at a time, along with a bunch of other neat stuff. For example, you could have multiple versions of PHP installed in Gentoo or Guix and interact with them accordingly. Not so simple on other distributions. On the other hand, everything else about these distributions demands advanced attention from a user.

I just want a secure linux that I can browse the internet with at the very least, without using Tails or Cubes. Even this has been a tall order to find.

Fedora is your best bet. It involves a little more configuration than Ubuntu out of the box, but is a great general desktop operating system with sane configurations by default. I know someone who has had a great experience with it coming from Arch.

User2288 On linux once an executable runs it has access to "everything", unless SE- linux policies exist, which for average joe is not the case. On G-OS this is not the case. This is relevant if we are talking about being hacked while device is on.

False. It doesn't have access to anything for which it does not have permission. Selinux is another layer on top of that to really make sure, but that doesn't mean that anything is wide open even without selinux.

As far as i know trim commands are never run on linux automatically, which is another one of my gripes against linux. You'd have to set a scheduler to run it (cron job). In windows a trim command is sent everytime any file is deleted.

Mount the filesystem with the "discard" option.

User2288 What does it do? How does it help? How good is it out of the box? Does it need anything else to be done? What? all.. beats me. With something like Android, its clear; Long winded, but clear.

Let me help you with something... Android, IS Linux. Different sepolicy to be sure, but your lack of knowledge doesn't mean that its inadequate, as you yourself pointed out. Why do you consider it "clear" on Android? Have you actually read through the policy source so that you can understand what its doing?

matchboxbananasynergy Dekstop operating systems with no access control, sandboxing, or any other modern security features feel antiquated in today's world.

I agree. And there are several desktop OS's that do provide that, and some to a greater extent than possible with AOSP based OS's like GrapheneOS.

I'm surprised Qubes wasn't really mentioned here. I find it to be the closest analog to compartmental security. Running apps in completely separate virtual machines. Obviously hardware intensive, but fairly secure.