I didnt know these existed!
What is this? These are images based on ublues “starting-point” toolkit to create modified variants of Fedora Atomic (the name for all atomic, immutable etc distros).
This means everyone can create the Distro they prefer, with programs, settings, services, udev rules, wallpapers, hardening etc. exactly as they want, while keeping just these diverging from upstream.
Have a look at this, Linux Mint ;D
So these images use GrapheneOS’ses hardened kernel, maintained by anthraxx and the hardened memory allocator maintained by the Divested Computing Team and GrapheneOS
So the result is a project with somewhat of a difficult (but currently working) 3rd party dependency, but the result is very close to upstream and a drop-in replacement.
Just like with ublue, all you need to do is rebasing to the unsigned image, rebooting and rebasing to the signed image. The guide is in the repos!
Its important to test it, and help the developers maintain the components!
why is this marked nsfw?
Maybe it’s because it has hardened in the title it was automatically marked
Harden my Kernel, daddy
Haha no buggy app actually
Some people’s fetish maybe?
Very interesting indeed! And thank you for raising awareness!
There’s another similar project that’s still WIP and that hasn’t received a lot of development recently. Though, its maintainer does provide hardening scripts for Fedora’s Atomic distros that are worth looking into. Hopefully, we might even expect a collaboration of sorts between these projects early next year 🤞.
Yes! Its not that hard as the changes are not big.
That specific distro I linked is veeeery opinionated, installing Chromium, removing Flatpak and even software stores. So how am I gonna install software now, layering? Its a bit of a joke on “security” I dont get with all that namespace stuff. I guess this just doesnt work with Flatpaka and to my knowledge flatpaks are more secure than RPMs
installing Chromium
This wouldn’t sit well with most privacy conscious folk out there. Though, I can understand it from a security point of view. Especially, when one notices that Chromium isn’t installed from Fedora’s repos, but instead the RPM is built to offer a more up-to-date version that should provide improved security compared to the stable version.
removing Flatpak
Probs for the sake of disabling unprivileged user namespaces; as you might have correctly alluded to.
even software stores
I imagine for the sake of minimizing attack surface.
So how am I gonna install software now, layering?
The Nix package manager is installable on Fedora’s atomic distros, so perhaps that route is worth exploring.
to my knowledge flatpaks are more secure than RPMs
To my knowledge, Flatpak’s sandbox indeed isn’t achievable by default with RPMs; unless one knows how to properly utilize SELinux to that effect.
Not sure about SELinux and unofficial Chromium though.
Yes pretty much thats the state.
Sandboxing… people argue always about that, Firefox RPM, Firefox Flatpak from Flathub or from Fedora (which is incomplete lol), or Chromium.
I am no expert but started using Firefox RPM again as its the fastest.
Maybe it’s an attempt at the chromium OS way of life?
deleted by creator
Yup. I have no idea of the problem with user namespaces, but it sounds like overacting and ignoring other parameters like Sanboxing, official support, practicability
Good find! I want to test this out this weekend :)