Images for GNOME and KDE with minimal hardening applied - GitHub - qoijjj/hardened-images: Images for GNOME and KDE with minimal hardening applied
I didnt know these existed!
What is this? These are images based on ublues "starting-point" toolkit to create modified variants of Fedora Atomic (the name for all atomic, immutable etc distros).
This means everyone can create the Distro they prefer, with programs, settings, services, udev rules, wallpapers, hardening etc. exactly as they want, while keeping just these diverging from upstream.
So the result is a project with somewhat of a difficult (but currently working) 3rd party dependency, but the result is very close to upstream and a drop-in replacement.
Just like with ublue, all you need to do is rebasing to the unsigned image, rebooting and rebasing to the signed image. The guide is in the repos!
Its important to test it, and help the developers maintain the components!
Yes! Its not that hard as the changes are not big.
That specific distro I linked is veeeery opinionated, installing Chromium, removing Flatpak and even software stores. So how am I gonna install software now, layering? Its a bit of a joke on "security" I dont get with all that namespace stuff. I guess this just doesnt work with Flatpaka and to my knowledge flatpaks are more secure than RPMs
This wouldn't sit well with most privacy conscious folk out there. Though, I can understand it from a security point of view. Especially, when one notices that Chromium isn't installed from Fedora's repos, but instead the RPM is built to offer a more up-to-date version that should provide improved security compared to the stable version.
removing Flatpak
Probs for the sake of disabling unprivileged user namespaces; as you might have correctly alluded to.
even software stores
I imagine for the sake of minimizing attack surface.
So how am I gonna install software now, layering?
The Nix package manager is installable on Fedora's atomic distros, so perhaps that route is worth exploring.
to my knowledge flatpaks are more secure than RPMs
To my knowledge, Flatpak's sandbox indeed isn't achievable by default with RPMs; unless one knows how to properly utilize SELinux to that effect.
I also like the security aspects, but Chromium OS limits me too much. I can see Android getting to a point I can use it, given the apps.
I would appreciate if there was a better way to create Android apps though. Something libre, stable and included in major distro repos would be nice. I think Debian has made some advancements in regards to that?