• 1 Post
  • 112 Comments
Joined 1 year ago
cake
Cake day: November 1st, 2023

help-circle

  • Pop!_OS is definitely worth considering as it’s one of the few distros that goes as far as providing a recovery partition and offers one of the best experiences for those with Nvidia GPUs. Furthermore, Pop!_OS’ maintainers (read: System76) are actually financially incentivized to make their distro very polished and newbie-friendly as their distro is used on the hardware they sell.

    On the flip side, Pop!_OS is currently in a major overhaul to replace GNOME with COSMIC; their own homebuilt Desktop Environment. As the Desktop Environment is arguably the most important contributor to how one experiences their Linux system, the eventual change might disrupt your workflow and you might even be too accustomed to GNOME to consider COSMIC at that point. The ongoing work on COSMIC has even meant that Pop!_OS has missed three major releases and are still clinging on their release from April 2022; thankfully it’s based on Ubuntu’s LTS (read: Long Term Support) release, so they aren’t particularly in rush to get a new release out and can rely on Ubuntu for security updates.

    Regardless, COSMIC’s unsure future does leave a lot to be desired and does pose the question if perhaps other options should be considered more seriously instead.

    Therefore, my personal recommendation would be either one of the following:

    • If you just really like what you see from Pop!_OS, then just install its 22.04 release and you should be good until April 2027. As time goes on, you might be deprived from new developments and features; but at least updates etc will not be able to (potentially) corrupt/break your system in the meantime.
    • Wait until April next year; when they’re supposed to release a new version. If you like what you see and the update and the changes are well-received by the community, then consider installing that one instead. It should be supported for 5 years, which is plenty to not worry about your system in the mean time.
    • Go look elsewhere. There are hundreds of actively maintained distros out there. While not all of them are worth considering, there are at least a dozen of them that are worthy contenders. In case you’re interested to get the community’s help in finding a distro, consider answering the following questions:
      • Do you use an Nvidia GPU?
      • How would you rate your tech savviness on other operating systems?
      • How eager are you to learn and/or invest time to use your Linux system?
      • Do you prefer to have up-to-date software at all times even if that means daily/weekly updates that might potentially break some functionality?
      • Security or convenience?
      • Opinionated or blank slate?

    A shortlist of distros worth considering for a beginner (from easiest to hardest): Linux Mint, Ubuntu, Debian/Fedora/openSUSE and Arch.


  • installing Chromium

    This wouldn’t sit well with most privacy conscious folk out there. Though, I can understand it from a security point of view. Especially, when one notices that Chromium isn’t installed from Fedora’s repos, but instead the RPM is built to offer a more up-to-date version that should provide improved security compared to the stable version.

    removing Flatpak

    Probs for the sake of disabling unprivileged user namespaces; as you might have correctly alluded to.

    even software stores

    I imagine for the sake of minimizing attack surface.

    So how am I gonna install software now, layering?

    The Nix package manager is installable on Fedora’s atomic distros, so perhaps that route is worth exploring.

    to my knowledge flatpaks are more secure than RPMs

    To my knowledge, Flatpak’s sandbox indeed isn’t achievable by default with RPMs; unless one knows how to properly utilize SELinux to that effect.



  • I don’t own any devices with an Nvidia GPU. Therefore, I can’t share my own experiences but only the ones from the community. If my memory serves me right, it should work. However, as usual, expect some strange behavior at times. Thankfully, getting back to a working system shouldn’t cause you any troubles on Jovian-NixOS. Nonetheless, it’s something to keep in mind.



  • to use as a media centre and multiplayer gaming system in my living room

    Based on this, you’re basically looking for the ‘game console experience on your couch’. If that’s the case, honestly you shouldn’t look beyond[1] Bazzite.

    If, instead, you actually wanted to play retro games primarily, then please let us know.


    1. While ChimeraOS and HoloISO also offer the ‘game console experience’, they don’t support Nvidia GPUs. So you would be on your own at best; which would be a horrible experience for a new user. If you feel particularly adventurous, then Jovian-NixOS is actually another option. But arguably less newbie-friendly compared to Bazzite.


  • Basically, you want to not disable kernel.unprivileged_userns_clone.

    For a temporary solution that has to be redone after reboot, there is sysctl kernel.unprivileged_userns_clone=1.

    For a lasting solution, consider echo kernel.unprivileged_userns_clone=1 | sudo tee /etc/sysctl.d/99-enable-unpriv-userns.conf.

    In either case you’re foregoing security for the sake of convenience/functionality, so I understand why you would rather not act upon either of them.

    I don’t know what the solution is that would be analogous to installing bubblewrap-suid. Perhaps, it’s worth exploring the projects found within the github page of Awesome Fedora Security for some pointers.


  • I don’t know by heart if it’s able to do your bidding, but perhaps it’s worth checking out penguins-eggs. I guess the following would be its elevator pitch:

    "penguins-eggs is a console tool, under continuous development, that allows you to remaster your system and redistribute it as live images on usb sticks or via PXE.

    The default behavior is total removal of the system’s data and users, but it is also possible to remaster the system including the data and accounts of present users, using flag --clone. It is also possible to keep the users and files present under an encrypted LUKS file within the same resulting iso file, flag --cryptedclone.

    You can easily install the resulting live system with the calamares installer or the internal TUI krill installer."





  • I disagree with most of the benefits you list

    I’m curious to hear your objections.

    chief among them “increased security”

    Do you deny that specific protection to some attacks is provided through the chosen model of ‘immutability’ on at least one of the atomic distros?

    not to mention half of them are already supported by traditional package managers

    Hmm…,:

    • atomicity; nope
    • reproducibility =/= reproducible builds for some packages (if that’s what you meant)
    • declarative system configuration; ansible (and any other solution that I’ve witnessed being mentioned in such discussions) succeed (at best) at convergent system management, while e.g. NixOS does congruent system management by default. Consider taking a look at this page if you’re interested in what these are and how they’re different. (Spoiler alert) congruent is better and therefore more desirable.
    • increased security; security is not limited to chosen model for ‘immutability’ if at all; as Qubes OS (read: most secure and private desktop OS) doesn’t rely on it for its security. So I can understand where you’re coming from, but I have yet to see any non-security focused distro that provides the elevated protection against particular attacks that some atomic distros offer by default.
    • built-in rollback functionality; sure, this is not exclusive to atomic distros. Perhaps I should have done a better job at making clear that it isn’t a feature provided necessarily by atomicity. But, the fact that I listed it at the very end, alludes that it isn’t as exclusive and consequential as atomicity is. At this point, however, it has become almost synonymous with atomic distros, while the same can’t be said about traditional distros.
    • regarding the consequences; I’m unaware of any distro that does those out of the box (barring Pop!_OS with their factory reset). Though, I’d love to be educated on this.

    I was genuinely curious so thanks for the rationale.

    It has been my pleasure ☺️! I’m also genuinely curious to read your reply to this comment😉.


  • Not OP. But for me, atomic updates, reproducibility, (to some degree) declarative system configuration, increased security, built-in rollback functionality and their consequences; rock solid system even with relatively up to date packages, possibility to enable automatic updates in background without fearing breakage, (quasi) factory reset feature, setting up a new system in just a fraction of the time required otherwise are the primary reasons why I absolutely adore atomic[1] distros.


    1. I prefer referring to the so-called ‘immutable’ distros as atomic distros instead. It’s more descriptive, because the distros aren’t actually ‘immutable’ but instead they’re atomic.

  • Distrobox is directly inspired from Toolbx and was created because of limitations of Toolbx and how Toolbx’ maintainers didn’t want to implement some features at that moment in time.

    Currently, Distrobox is almost a superset of Toolbx. Though, I’ve come to the understanding that Toolbx does better at some tasks.

    If you would like to stick to just one of them, then Distrobox is probably still the better one and should be preferred. However, if its added functionality doesn’t do it for you, then please feel free to continue using Toolbx.

    Why is toolbox preinstalled and not distrobox?

    Because Toolbx predates Distrobox and is developed by developers that are associated with Fedora and even specifically designed in hopes of solving some issues pertaining to Fedora’s Atomic distros.


  • Thanks a lot for this excellent write-up! I believe it has successfully fulfilled its purpose.

    To make myself absolutely clear: I believe that we agree on our general sentiment towards systemd; I don’t like how it has almost ostracized other inits, nor do I like how ever-impactful it has become across the board so much so that even the most established DE (read: GNOME) has had hard dependencies to systemd in the past[1].

    And this is where i think you’ve contradicted yourself. IMO, the only reason opponents use it is not because it’s so great but because it’s so entrenched in whichever distro they’re using.

    Got it! I see now why you might have perceived that as a contradiction. And honestly, you might be correct! I assumed that systemd is used for how it might enable the full system AppArmor policy[2] and other features that Kicksecure has become known for. Honestly, I’m not an expert on Kicksecure myself. I just like the project and even try to import some of their systemd-related features and/or configs on my daily driver.

    Based on past readings, the idea that systemd was (ironically) still preferred on Kicksecure for security-related features stuck with me. But, honestly, it could have been my misunderstanding and instead they might have chosen to make the best out of it as not using systemd would have increased the maintenance burden tremendously.

    This conversation has opened the possibility to me that Kicksecure’s maintainers might have stuck to systemd for non-security reasons. Ultimately, your contribution by addressing that point has been immense. Thank you so much for the insight and for being patient with me 😊!


    1. I believe this has since been resolved.
    2. Based on the following statement: “AppArmor can do this by loading a profile for systemd in the initramfs.” found here


  • alt@lemmy.mltoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    edit-2
    1 year ago

    the best os-design there is: the unix-like system.

    Couple of questions:

    1. Is there even any scientific basis to this statement?
      • If yes, would you be so kind to cite sources as I got trouble finding peer-reviewed articles on the matter.
      • If not, would you be able to make a logically sound argument on why that is the case?
    2. Why Unix-like and not Unix? Wouldn’t Unix be the actual “original vision”?

  • alt@lemmy.mltoLinux@lemmy.ml*Permanently Deleted*
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    1 year ago

    In case you’re bored enough to read my ramblings and/or interested in what I understood and how, then consider reading the spoiler below.

    spoiler

    Fam, you’re all over the place.

    Because you did an awful job at pointing at the supposed contradiction, I’ll have to analyze your excuse of an elaboration so that it somehow starts to make sense if at all:

    A contradiction consists of N statements that logically contradict with each other; for the sake of making it more precise we’ll refer to these statements as P, Q, R, S etc. After we’ve established this, we can move on to find what these alleged statements are from your comments. My best take would be:

    (Supposed) Contradicting Statements:

    • P: systemd is the only init that’s beyond a particular level of excellence and/or feature set.[1]
    • Q: Some combinations of distro + DE are cumbersome and unwieldy at best if systemd is not used.[2]

    Perhaps some other related statements that are either implied or a given/fact:

    • R: Kicksecure uses systemd as its init.
    • S: Modern distros use an init.
    • T: Default init is chosen based on preference[3].
    • U: Kicksecure has to use systemd because P despite not being in favor of some aspects of its design.

    Please feel free to notify me if I missed the mark!

    Don’t you think that P and Q are actually complementary to one other?


    No, not at all.

    The crux might be here. But I’m not sure where exactly you might have tripped over. Was it because I said “opponents” instead of “(some) opponents”? Was it because I said “out of necessity”, while elsewhere I said “don’t allow any differentiation in init or make it very cumbersome and unwieldy at best”, but in this case they aren’t contradictory statements. Was it the fact that Devuan exists? But, this assumes that any of the inits found on Devuan are somehow as mature and feature-rich as systemd. Which, unfortunately, is simply not the case. (I’m hopeful that dinit and s6 might reach maturity soon, though.)

    So trying to use Kicksecure without systemd would be very cumbersome and unwieldy at best.

    Exactly, that was my point.

    Perhaps Madaidan should’ve used Devuan as a starting point instead.

    It’s a team effort, I don’t even know if he started working on Kicksecure from its inception[4]. They might also simply be victims of the sunk-cost fallacy. Furthermore, I wouldn’t be surprised if -to them- systemd’s pros simply outweigh its cons. Which, curiously, gets us back to the entire point of my original comment; viable alternatives to systemd don’t exist. This painful truth is not only sad and unfortunate, but perhaps even worrisome for the future of Linux.


    1. From: “systemd has become so good that even opponents can’t deny its merits and continue to make use of it for the time being out of necessity”
    2. From: “some combinations of distro + DE don’t allow any differentiation in init or make it very cumbersome and unwieldy at best.”
    3. Preference is arguably too broad of a term, but I wanted to make clear that distro maintainers have different priorities.
    4. This page suggest otherwise, simply because someone else is referred to as founder. Though, ultimately, I don’t know.

    If not 😜; did I understand you correctly in that the mere existence of Devuan is the supposed contradiction?