N.E.P.T.R

You you do choose to release it, do it on codeberg because GitHub is Microsoft owned and has an incentive to remove it.

What does it mean to “make Linux secure”? What does secure mean to you (genuine question). I see people say they can make Linux secure but from what kinds of attacks. I think madaidan’s blog explains why you can’t as an individual fix an issue with the entire ecosystem, or fix the kernel of its inherent security flaws https://madaidans-insecurities.github.io/linux.html

I think “good security” in my personal opinion means that even if you try to run a malicious app, it either crashes out right or can’t do anything because it doesn’t have the permission to.

One thing that I think is very misunderstood is that messy or extremely large/dense code can be very hard to understand, even if you have the source code. Like systemd, it is several million lines of code and is very tangled together. Is it that much better than a blackbox if no one can audit the whole thing (unless you are a massive team)? I do think it is better to have source code and documentation, but vulnerabilities arise from unintended interactions in the code. The more code there is, the higher the chance of this happening.

deleted by creator

It really isn’t that different than regular Fedora Atomic. It offers easy toggles for most security features and some convenient utilities to make things easier.

You can just layer persistent malware (like a .rpm from the internet) using rpm-ostree, or rebase to a malicious image, because rpm-ostree doesnt require a password. Atomic doesnt mean basically anything other than you switch out images, it isnt a security feature. Or have persistent malware by creating a systemd user service that runs on login, or a system service which does the same, and does something malicious (exfiltrate data or keylog [yes that is possible on Wayland with LD_PRELOAD trick]). Or modify the use’rs ~/.bashrc and change the path to include something like /tmp or ~/.local/bin and pit a fake sudo binary which takes president over the real sudo and does something (like steal your user password). Or LD_PRELOAD a malicious binary to everything either by adding a line to the .bashrc, or get root and create /etc/ld.so.preload

The list goes on. It isn’t more secure than regular Fedora. It isn’t a (significant) security feature. It doesn’t protect against persistent malware which resides in the user home, etc, or goes unnoticed as a layered package. rpm-ostree can be used to install anything without needing a password. It isn’t secure.

They aren’t DIMMs so basically no resale value. Only usable for data center servers.

I was specifically responding to at the end where you say it is “super secure” at the end of your comment. It is not a security focused distro. It isnt even (only) a privacy distro. It is an anonymity distro. Fedora is private, but it doesnt store everything in RAM or route everything through Tor, so it isn’t amnesic or anonymity focused.

When compared to Whonix (which is Debian based like Tails) or Secureblue (Fedora Atomic based), Tails doesnt do nearly anything to harden its base other than to strictly proxy the network through Tor, run in RAM, and some default apps.

Fedora Atomic is not more secure than traditional Fedora. That is a misconception.

Qubes, Kicksecure/Whonix, and Secureblue are basically the only major security focused Linux distros.

Tails is focused on anonymity, not simply privacy (same with Whonix). Tails is not really security hardened.

Tails isn’t really a security focused distro, no significant kernel or other security hardening. It is amnesic. Whonix (based on Kicksecure) is security hardened but still based on Debian which isn’t great for a security base.

Secureblue is what I would recommend because it a security focused Linux distro that benefits from Fedora’s SELinux, and has a bunch of its own additions.

QubesOS is obviously the best for security. Combine that with a Whonix or Secureblue guest OS and you’re perfect.

GrapheneOS. It gets updates and security patches quickly, it fully removes dependency on Google services (unlike any of the others you mentioned), and it is heavily deblobbed of proprietary blobs. It is rock solid. Here is a comparison table from a trusted third-party: https://eylenburg.github.io/android_comparison.htm

All of those apps will work, just install Sandboxed Google Play. Install company apps either in a Private Space or a separate user to isolate them. I recommend putting all Gapps (play store apps) in a Private Space.

Note: iode is often a month or more behind on Android security patches.

You can run Genshin Impact on Linux

https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/

OpenPGP for encryption through autocrypt is a BIG NO for me. OpenPGP is inherently flawed, read any reasonable cryptographer’s opinions on it. DeltaChat is a significant security downgrade from Signal. I would much rather use SimpleX or Briar.

I am excited to see Chimera Linux mature because iy seems like a distro which prioritizes a simple but modern software stack.

Features of Chimera that I like include:

• Not run by fascists
• Not SystemD (dinit)
• Not GNU coreutils (BSD utils)
• Not glibc (musl)
• Not jemalloc (mimalloc)
• Proper build system, not just Bash scripts in a trenchcoat

What I would like:

• MAC (SELinux)
• Switch to Fish over Bash (because it is a much lighter codebase)
• Switch from mimalloc to hardened_malloc (or mimalloc built with secure flag). Sadly hardened_malloc is only x64 or aarch64
• Hardened sysctl kernel policy