this post was submitted on 23 Nov 2024
85 points (97.8% liked)

Linux

48372 readers
1193 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
top 11 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 day ago (1 children)

I find the authors concerns about security to be at odds with their enthusiasm for flatpak and systemd. Personally I don't think containerised applications get as much attention from package maintainers or security audits. Systemd is also expanding into every area of the OS including recently offering a sudo alternative which is basically creating one massive attack surface.

[–] [email protected] 1 points 23 hours ago

Even if you're rightfully concerned, they become non-issues in the author's platform of choice: Qubes OS.

The reason (I think) they mentioned all of those explicitly Linux things, is because they've also stopped using OpenBSD VMs in Qubes OS.

[–] [email protected] 23 points 3 days ago

Excellent write-up!

Though, it's a pity that a great ambassador of OpenBSD has stopped using it.

[–] [email protected] 10 points 3 days ago (1 children)

Welcome to the dark side! Although I am curious how long you will stay with QubesOS... I have the feeling its overkill for non-snowden use-cases. Also it would be interesting why you went from OpenBSD directly to Linux and didn't take freebsd into consideration? Or if you tried, what made your decision to go for Linux instead?

[–] [email protected] 6 points 3 days ago (1 children)

As someone who does a lot of infrastructure work on AWS, Azure, GCP etc, it's just about the only operating system I'll use at this point for that kind of work. The isolation I get per-client and per-environment is unmatched. There's a little more upfront work to get everything the way you like (putting ZSH configs on /etc/skel of your templates for example) but once it's set up it's really solid. Having the windows named and color coded really helps me keep from crossing wires when stuff gets chaotic and I'm jumping around a lot.

It's obviously MUCH worse at certain things such as CAD, but they're still workable in it. HVMs can remedy this pretty easily but it's not quite as seamless as the standard Qubes unfortunately but it's progressed a LOT in a short amount of time so we'll see what the future holds!

[–] [email protected] 5 points 2 days ago (1 children)

So what about FreeBSD? And did you read up on Flatpak having security issues because the containerization is supposedly not sufficient?

[–] [email protected] 4 points 2 days ago* (last edited 2 days ago)

I switched off of BSD about a decade ago so I can't weigh in on it's current state at all. I generally avoid Flatpaks at least in Qubes. I do have a template that supports it but it's only running on my Music VM currently which is offlined, the rest follow the traditional template+AppVM approach which I keep updated on a schedule.

I have never operated under the assumption that flatpaks are sandboxed or secure because they really aren't. It's a system to bundle packages with your software without contaminating the host environment. The big issue really is in the package maintainers shipping outdated packages, containers were never a security measure in my eyes due to the shared kernel and especially not with the default share of the homedir for flatpaks. If you need that kind of isolation you really need a VM. I treat them as a standard install personally without any expectations of isolation, and really with Silverblue I'm leaning more towards installing apps directly in Distrobox and exporting them to the host, it still has the shared homedir issue but you're getting up to date packages in a desired environment that you fully control (this is both good and bad since maintenance is on you).

I think it's a good idea if there were stricter requirements, maybe vulnerability scanning as a requirement to releasing and pulling stale flatpaks after a period of no releases to start. It's difficult to appease everyone in this situation and breaking changes would be inevitable so it is difficult to fully solve now that it already exists as it does. I do think supply chain attacks will only get more common though so they definitely need work.

[–] [email protected] 3 points 3 days ago (1 children)

QubeOS has quite a bit of issues to , unless it’s better now?

[–] [email protected] 1 points 23 hours ago

It ain't perfect. But it's the best we got when it comes to a secure OS on x86.

The author is even quite explicit when they mentioned to use Fedora Silverblue for gaming.

[–] [email protected] 3 points 3 days ago (1 children)

Great blog post, always nice to read about other people’s experiences. I was curious if you’d switch back to NixOS, but that’s not the case. Cubes OS looks interesting, I checked it out a few years ago. I should give it another look.

[–] [email protected] 1 points 23 hours ago

I believe the author continues to make use of NixOS VMs withing Qubes OS.