Fedora Kinoite+Silverblue hardened images available - eviltoast

I didnt know these existed!

What is this? These are images based on ublues “starting-point” toolkit to create modified variants of Fedora Atomic (the name for all atomic, immutable etc distros).

This means everyone can create the Distro they prefer, with programs, settings, services, udev rules, wallpapers, hardening etc. exactly as they want, while keeping just these diverging from upstream.

Have a look at this, Linux Mint ;D

So these images use GrapheneOS’ses hardened kernel, maintained by anthraxx and the hardened memory allocator maintained by the Divested Computing Team and GrapheneOS

So the result is a project with somewhat of a difficult (but currently working) 3rd party dependency, but the result is very close to upstream and a drop-in replacement.

Just like with ublue, all you need to do is rebasing to the unsigned image, rebooting and rebasing to the signed image. The guide is in the repos!

Its important to test it, and help the developers maintain the components!

    • Pantherina@feddit.deOP
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Yes! Its not that hard as the changes are not big.

      That specific distro I linked is veeeery opinionated, installing Chromium, removing Flatpak and even software stores. So how am I gonna install software now, layering? Its a bit of a joke on “security” I dont get with all that namespace stuff. I guess this just doesnt work with Flatpaka and to my knowledge flatpaks are more secure than RPMs

      • alt@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        installing Chromium

        This wouldn’t sit well with most privacy conscious folk out there. Though, I can understand it from a security point of view. Especially, when one notices that Chromium isn’t installed from Fedora’s repos, but instead the RPM is built to offer a more up-to-date version that should provide improved security compared to the stable version.

        removing Flatpak

        Probs for the sake of disabling unprivileged user namespaces; as you might have correctly alluded to.

        even software stores

        I imagine for the sake of minimizing attack surface.

        So how am I gonna install software now, layering?

        The Nix package manager is installable on Fedora’s atomic distros, so perhaps that route is worth exploring.

        to my knowledge flatpaks are more secure than RPMs

        To my knowledge, Flatpak’s sandbox indeed isn’t achievable by default with RPMs; unless one knows how to properly utilize SELinux to that effect.

        • Pantherina@feddit.deOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Not sure about SELinux and unofficial Chromium though.

          Yes pretty much thats the state.

          Sandboxing… people argue always about that, Firefox RPM, Firefox Flatpak from Flathub or from Fedora (which is incomplete lol), or Chromium.

          I am no expert but started using Firefox RPM again as its the fastest.

        • Pantherina@feddit.deOP
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Yup. I have no idea of the problem with user namespaces, but it sounds like overacting and ignoring other parameters like Sanboxing, official support, practicability