From c24514cc419e9d4600dbf3b2cfe56ceb4a90a7e8 Mon Sep 17 00:00:00 2001 From: Ganwtrs Date: Wed, 26 Nov 2025 12:24:26 -0800 Subject: [PATCH 1/3] Remove Whonix from Choosing Your Desktop Linux Distribution Signed-off-by: Ganwtrs --- .../Choosing Your Desktop Linux Distribution/index.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md index 7e2e9a203..b7093e775 100644 --- a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md +++ b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md @@ -83,11 +83,3 @@ Fedora Atomic Desktop's European counterpart. openSUSE Aeon is a rolling release [Aeon](https://microos.opensuse.org/) has a relatively small set of base packages (thus lowering the attack surface) and mounts the running BTRFS subvolume as read-only. Updates are applied package by package to a new BTRFS snapshot before the system is rebooted to the new subvolume. This allows the rollback process to be relatively easy just like on Fedora Atomic Desktops. {{< youtube id="jcl_4Vh6qP4">}} - -### Whonix - -[Whonix](https://www.whonix.org/) is a distribution focused on anonymity based on [Kicksecure](https://www.whonix.org/wiki/Kicksecure). It is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden. It is currently the best solution that I know of if your threat model requires anonymity. - -Some of its features include Tor Stream Isolation, [keystroke anonymization](https://www.whonix.org/wiki/Keystroke_Deanonymization#Kloak), [boot clock randomization](https://www.kicksecure.com/wiki/Boot_Clock_Randomization), [encrypted swap](https://github.com/Whonix/swap-file-creator), hardened boot parameters, and hardened kernel settings. One downside of Whonix is that it still inherits outdated packages with lots of downstream patching from Debian. It would be better if Whonix gets reimplemented on top of a more sensible base like SecureBlue, although no such system publicly exists yet. - -Although Whonix is best used [in conjunction with Qubes](https://www.whonix.org/wiki/Qubes/Why_use_Qubes_over_other_Virtualizers), Qubes-Whonix has [various disadvantages](https://forums.whonix.org/t/qubes-whonix-security-disadvantages-help-wanted/8581) when compared to other hypervisors. From 54801d3f3c095cf856dd27c551d335dd3ab4c5b7 Mon Sep 17 00:00:00 2001 From: Ganwtrs Date: Sun, 21 Dec 2025 19:00:12 -0800 Subject: [PATCH 2/3] recommend secureblue over the other choices Signed-off-by: Ganwtrs --- .../index.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md index b7093e775..231324612 100644 --- a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md +++ b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md @@ -49,6 +49,12 @@ Wayland's predecessor, [X11](https://en.wikipedia.org/wiki/X_Window_System), doe Here is a quick, non-authoritative list of distributions we recommend over others: +### SecureBlue + +[SecureBlue](https://secureblue.dev/) is the best traditional desktop Linux distribution for privacy and security. It provides hardened operating system images based on Fedora Atomic Desktops. While they do additional parties of trust (SecureBlue, GitHub infrastructure, BlueBuild, Negativo, etc), their images are substantially hardened and not easily replicated by hand. There are several very interesting packages maintained by SecureBlue as well: +- [Trivalent](https://github.com/secureblue/Trivalent), a hardened chromium desktop build with patches from GrapheneOS's [Vanadium](https://github.com/GrapheneOS/Vanadium). +- [Hardened Malloc](https://github.com/secureblue/fedora-extras/tree/live/hardened_malloc). SecureBlue packages GrapheneOS's memory allocator and enables it system wide, including for Flatpak applications. + ### Fedora Workstation ![Fedora](fedora-screenshot.png) @@ -69,13 +75,6 @@ Fedora's package manager, `dnf`, has a great rollback and undo feature that is g One caveat with Fedora Atomic Desktops is that `rpm-ostree` currently has a hard dependency on `grub` and does not support Unified Kernel Images. The consequence of this is that unlike Fedora Workstation, it is not possible to set up a Fedora Atomic system with meaningful Secure Boot to resist physical tampering. -### SecureBlue - -[SecureBlue](https://secureblue.dev/) provides hardened operating system images based on Fedora Atomic Desktops. While they do additional parties of trust (SecureBlue, GitHub infrastructure, BlueBuild, Negativo, etc), their images are substantially hardened and not easily replicated by hand. There are several very interesting packages maintained by SecureBlue as well: -- [Trivalent](https://github.com/secureblue/Trivalent), a hardened chromium desktop build with patches from GrapheneOS's [Vanadium](https://github.com/GrapheneOS/Vanadium). -- [Hardened Malloc](https://github.com/secureblue/fedora-extras/tree/live/hardened_malloc). SecureBlue packages GrapheneOS's memory allocator and enables it system wide, including for Flatpak applications. - - ### openSUSE Aeon Fedora Atomic Desktop's European counterpart. openSUSE Aeon is a rolling release, fast updating distributions with [transactional updates](https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/) using [Btrfs](https://en.wikipedia.org/wiki/Btrfs) and [Snapper](https://en.opensuse.org/openSUSE:Snapper_Tutorial). From 08a985ba032e0b1a456b0d64f237211f1b6a6151 Mon Sep 17 00:00:00 2001 From: Ganwtrs Date: Sun, 21 Dec 2025 19:04:12 -0800 Subject: [PATCH 3/3] secureblue is technically not a Linux distro Signed-off-by: Ganwtrs --- .../linux/Choosing Your Desktop Linux Distribution/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md index 231324612..338547832 100644 --- a/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md +++ b/content/posts/linux/Choosing Your Desktop Linux Distribution/index.md @@ -51,7 +51,7 @@ Here is a quick, non-authoritative list of distributions we recommend over other ### SecureBlue -[SecureBlue](https://secureblue.dev/) is the best traditional desktop Linux distribution for privacy and security. It provides hardened operating system images based on Fedora Atomic Desktops. While they do additional parties of trust (SecureBlue, GitHub infrastructure, BlueBuild, Negativo, etc), their images are substantially hardened and not easily replicated by hand. There are several very interesting packages maintained by SecureBlue as well: +[SecureBlue](https://secureblue.dev/) is the best traditional desktop Linux operating system for privacy and security. It provides hardened operating system images based on Fedora Atomic Desktops. While they do additional parties of trust (SecureBlue, GitHub infrastructure, BlueBuild, Negativo, etc), their images are substantially hardened and not easily replicated by hand. There are several very interesting packages maintained by SecureBlue as well: - [Trivalent](https://github.com/secureblue/Trivalent), a hardened chromium desktop build with patches from GrapheneOS's [Vanadium](https://github.com/GrapheneOS/Vanadium). - [Hardened Malloc](https://github.com/secureblue/fedora-extras/tree/live/hardened_malloc). SecureBlue packages GrapheneOS's memory allocator and enables it system wide, including for Flatpak applications.