It’s pretty neat. Though, don’t expect to roll your way in without any troubles if you don’t take the effort to read its documentation. Fedora Atomic already does things its own way. However, secureblue, by virtue of its superior security standard, adds its own set of ‘rules’ that one should abide. Personally, I absolutely love how this is enforced. But I can understand why it might be a bit overwhelming for those new on the block. But I have personally helped introduce relative newbs to secureblue and they managed (with some help). So you should be fine; their community on Discord also has been pretty helpful in my experience.
So, if your first priority for your desktop operating system is for it to be Linux-based and your second priority is that it’s properly hardened, then you simply can’t go wrong with secureblue.
I was about to write a long piece comparing different security-focused systems, but I retracted for the sake of brevity. Please feel free to ask a specific comparison if you will.
I also experience with Secureblue, so here are my answers:
I used GNOME because it is the only DE that protects the screen copy API. I used GNOME extensions because native methods of customizing UI/UX are very limited.
I personally re-enabl Xwayland because many apps (eg Steam) still use/require XOrg.
Yes I recommend use and recommend Bubblejail as a simple way of sandboxing some apps. Not a “super tight” but much better than unsandboxed. FYI, AppImages don’t work with Bubblejail, or Secureblue (cus they remove the unmaintained FUSE dependency).
Under the USERNS caption of the FAQ , there’s a link to another entry. In there, you may find the following command: ujust toggle-container-domain-userns-creation. After invoking this, distrobox should at least start working.
Yes, I do! I personally prefer GNOME over other DEs anyways, so I’m absolutely fine with that.
They disable GNOME extensions. Did you turn it back on?
They disable the installation of GNOME extensions by users. But, system-wide GNOME extensions are enabled by default. So, GNOME extensions that are found in Fedora’s repositories can be installed right out of the box. Thankfully, all my extension needs are taken care of within the extensions found in Fedora’s repositories. So, this doesn’t constitute a limitation for me. Curiously, I’ve actually installed extensions through this method ever since I recognized how the other way wasn’t remotely as secure. So this (relatively recent) change by secureblue to enforce it upon everyone (at least by default) came as a pleasant surprise.
Did you re-enable XWayland?
Nope. I initially had troubles with playing games through Wine. But I’ve learned how to use gamescope for that instead. Currently, I’m honestly unaware of anything I’d need XWayland for. Wayland development has definitely come a long way. And while I’m sure some systems and/or workflows don’t play nice with it yet, for myself (pure) Wayland is all I need.
Do you use bubblejail?
Currently, I don’t think I’ve got any use for it:
The only layered packages are the aforementioned GNOME extensions. I’m unaware if bubblejail can be used to sandbox these. But I’ll look into it. Thanks for bringing this up!
My GUI apps are taken care of by Flatpak. Which, AFAIK, utilizes bubblewrap already for its sandboxing.
My CLI apps are taken care of by Linuxbrew. Perhaps these can be sandboxed using bubblejail, but I wouldn’t even know. Thanks for reminding me of this (potential) blindspot!
Nope I don’t. But that’s because running Steam isn’t really a thing for me to begin with. I don’t own my games through Steam aside from a couple that are only accessible through it. Whenever I need to play those, I access those through another system; be it another distro or (God forbid) M$. For the games I’ve played on secureblue, none of them were owned through Steam. Hence, running Steam inside gamescope has not been something I had to do yet. Unsure, if it even works as supposed.
Does your setup support casks ?
I actually don’t know. It probably doesn’t, though. EDIT: Found the following within Bluefin’s documentation: “Note that the cask functionality in homebrew is MacOS specific and non functional in Bluefin, flatpak is used instead.”
I do. And have done so for almost a year now.
It’s pretty neat. Though, don’t expect to roll your way in without any troubles if you don’t take the effort to read its documentation. Fedora Atomic already does things its own way. However, secureblue, by virtue of its superior security standard, adds its own set of ‘rules’ that one should abide. Personally, I absolutely love how this is enforced. But I can understand why it might be a bit overwhelming for those new on the block. But I have personally helped introduce relative newbs to secureblue and they managed (with some help). So you should be fine; their community on Discord also has been pretty helpful in my experience.
So, if your first priority for your desktop operating system is for it to be Linux-based and your second priority is that it’s properly hardened, then you simply can’t go wrong with secureblue.
I was about to write a long piece comparing different security-focused systems, but I retracted for the sake of brevity. Please feel free to ask a specific comparison if you will.
deleted by creator
Looking at their features list…
I also experience with Secureblue, so here are my answers:
I can’t use toolbox on my secureblue, it shows a message showing that it can’t find podman version IDK what to do
Under the USERNS caption of the FAQ , there’s a link to another entry. In there, you may find the following command:
ujust toggle-container-domain-userns-creation. After invoking this, distrobox should at least start working.Try invoking
ujust distrobox-assemblefirst. This command is also found on the FAQ page. Enter the container created through this method.Are you on the userns image? Because podman/docker/toolbox/distrobox all require unprivileged user namespaces.
I just upgraded my Silverblue and tried to user toolbox and it didn’t work. I’m testing on a kvm before install on my pc
FYI, the userns images have been (or are about to be) deprecated.
Yes, I do! I personally prefer GNOME over other DEs anyways, so I’m absolutely fine with that.
They disable the installation of GNOME extensions by users. But, system-wide GNOME extensions are enabled by default. So, GNOME extensions that are found in Fedora’s repositories can be installed right out of the box. Thankfully, all my extension needs are taken care of within the extensions found in Fedora’s repositories. So, this doesn’t constitute a limitation for me. Curiously, I’ve actually installed extensions through this method ever since I recognized how the other way wasn’t remotely as secure. So this (relatively recent) change by secureblue to enforce it upon everyone (at least by default) came as a pleasant surprise.
Nope. I initially had troubles with playing games through Wine. But I’ve learned how to use gamescope for that instead. Currently, I’m honestly unaware of anything I’d need XWayland for. Wayland development has definitely come a long way. And while I’m sure some systems and/or workflows don’t play nice with it yet, for myself (pure) Wayland is all I need.
Currently, I don’t think I’ve got any use for it:
Do you run Steam inside gamescope as well ? Their desktop app runs on xwayland, right ?
RE: CLI apps, I use brew on Bazzite, casks aren’t supported on it. Does your setup support casks ?
Nope I don’t. But that’s because running Steam isn’t really a thing for me to begin with. I don’t own my games through Steam aside from a couple that are only accessible through it. Whenever I need to play those, I access those through another system; be it another distro or (God forbid) M$. For the games I’ve played on secureblue, none of them were owned through Steam. Hence, running Steam inside gamescope has not been something I had to do yet. Unsure, if it even works as supposed.
I actually don’t know. It probably doesn’t, though. EDIT: Found the following within Bluefin’s documentation: “Note that the cask functionality in homebrew is MacOS specific and non functional in Bluefin, flatpak is used instead.”