I have been tossing around the idea of a little distro hopping. I’m an avid mint fan. It was my first jump from windows. I became quite familiar with mint but felt the want to branch out and went down the rabbit hole (oh my lanta). I like stability and cleanliness. Security by default. Least mental load possible long-term.
I’m currently testing out NIXos. Next will be VanillaOS, 3rd will be Fedora Silverblue. Anyone have good recommendations? Easy backups, stability, security first posture, least maintenance and memory load. I hate getting scattered in symlinks, scripts, and filesystem placing.
I’ve tried going full custom Linux mint. But app armour and Firejail constantly conflict or require manual updating and tweaking to keep up to date with app installs, or general life cycle updates.
The most intriguing aspect if NIXos was that basically the entire configurable system was confined to two files. Infinitely reproducable. I tend to swap laptops or hardware relatively often being on the go or getting good tech deals. Having your entire system in two files essentially is awesome.
What are some pros and cons of different distros? What do you daily drive as a power user? Give me your thoughts and recommendations! Thanks.
It depends on what you mean by “secure”. I’m going to assume that your threat model is “I want to minimize the damage caused by any generic malware”. If you would like tips on some other threat model, I would be happy to assist you.
Generally, I would recommend fedora secureblue or silverblue. It works very well “out of the box”, doesn’t require much maintenance, and it has relatively good security defaults.
I wouldn’t call NIXos inherently “secure”, because it doesn’t have nearly as many security benefits compared to more security-focused distros. Immutability doesn’t really help much in this context because all it’s doing is making your root read-only. In most cases, an attacker getting access to your home directory is just as bad as them having root access. Security aside, if NIXos suits your other needs then I encourage you to keep using it.
Qubes is probably overkill. I would only recommend using it if your threat model depends on it. It offers very good sandboxing/compartmentalization, but it can be tricky to use and is resource-intensive. Personally, I don’t think it has the best “out of the box experience” and most of its benefits can be replicated (with much effort) on a distro like gentoo or arch.
Gentoo and Arch have the highest potential to become the “most secure” because they are the most customizable but they require a lot more maintenance since you essentially have to learn how to build your system from the ground up.
In the end, I don’t think the distro matters too much because as long as you can tweak the distro to fit your needs (or threat model), you will eventually end up with your own perfect mix of usability and security. You can start hardening your system by: configuring the firewall (I recommend ufw), proper sandboxing (I recommend using flatpaks or writing your own bubblewrap scripts), and maybe running untrusted processes in a virtual machine (I recommend qemu/virt-manager). For more advanced security, I would highly recommend looking into Mandatory Access Control (Fedora enables SELinux by default but you can tailor the reference policy to be VERY strict).
Once again, If you have anything more specific in mind in regards to security, I’ll be happy to elaborate :D
I’m not an expert, but OpenBSD may be a wildcard option. I’ll leave considering that to somebody else.
As others have suggested, QubesOS is a good one to have on your list. I’d probably use if it weren’t for its crippling effects on battery life.
Immutable distros are much friendlier to laptops and, as I understand, update in a way not unlike an Android device would. But I insist on some system-level customizations and I haven’t been motivated to learn how such customizations can be made to survive updates and the like.
I’ve also been eyeing NixOS, but with everything up and running on Debian smoothly for a few years, I haven’t found the excuse to switch yet. Along with customizing it to be a comfortable daily driver, I’ve also been trying to see how secure I can make my system as a fun exercise. While it’s not immutable, Debian is a good base considering the team behind it and how much is riding on its security, including internet-facing servers.
What I’ve done to harden Debian, if anyone’s interested:
- Apply Madaidan’s hardening guide judiciously. Roughly 2/3 of the measures made sense for my use case and it’s almost unnoticeable in my daily workflow.
- Have as few closed-source components as possible. In my case, intel-microcode is the only non-free package on my system.
- Install the hardening-runtime package, but remove its included
slub_debug=FPZkernel argument, which in recent kernels forces less secure unhashed pointers. - XFCE is still not fully ported to Wayland, so I use slock, the X11 screen locker with fewest lines of code.
- Install the ufw firewall and default to deny
- Enable unattended-upgrades
- Everything including the /boot partition is encrypted. I have built coreboot with just the GRUB2 payload, which I configured to immediately bring up the LUKS password prompt. All other options are behind a password.
I also put together and maintain a ~16 GB clean system image of Debian set up exactly to my taste, which I clone to my machines as needed. This probably wouldn’t have been a thing if I knew about NixOS earlier, and it certainly hasn’t helped me switch over either.
You have some decent hardening, just note x11 is turning legacy, wayland seems to be picking up for many reasons. I’m only slightly familiar with Debian as a whole. I’d look into firejail, app armour, firetools GUI for Firejail, flatseal, and good backup plans.
I discovered NIXos a few days ago and while it was a steep learning curve to set up! And I mean a learning curve and steep in all senses. It’s quite possibly the smoothest, simplest distro I’ve ever used once you make it run. Instant rollbacks in grub. It boots in grub in order. Boot 23 works you tried tweaking boot 24 failed, you made it work boot 25. Got mad. Select boot 23 in grub and your back to square one. 10 seconds.
Due to the nature of it you can choose like any desktop type you’d like from xfce to cinnamon or names I never heard of even headless, and literally any of them gnome, KDE, you name it. I like simplicity. Low mental load. Immutable is a chef’s kiss but configurable strikes my fancy.
I loathe getting scattered it symlinks, scripts, having files I forget about scattered all through my system, shit updates and breaks because I firejailed an app from 2 years ago. So much hassle. I like to boot and go. Keeping all if my configs in literally 2 nix files is fantastic, no more where did this go, or where did this write to. It will never change, update and break, it’s like a master key that will forever work. Just don’t lose your config and any hardware, any time, if you have your master file you can boot in like you was at your machine the time you left.
I still think about my first love, Linux mint so I installed cinnamon and now I feel I got the best of both worlds. I nearly gave up after a few days OK like 4 or 5 lol of attempting a custom install of NIX, full luks from boot to home, all my installed apps and configs, separated partitioning, containerized apps, I went all out. Idles at 1% CPU themed and applets, desklets, conky, etc. Created a couple copies of my NIX config file and I feel fairly safe. I built it all and tweaked then compiled it all finalized. Once you understand the concepts in their coding style, it’ll click in your brain.
I went straight from Windows, to Mint for 2 years barely touching terminal. Now with a little internet research for commands. I can crawl through almost any issue. I’ve broken so much stuff. But atleast it wasn’t a windows update borking/bricking my entire PC into a paperweight again. I chose to experiment. I’ve cussed myself so many times. But anything is better than going backwards.
Security? Qubes! https://www.qubes-os.org/
Qubes is good
Honestly id argue Debian stable is the most secure as long as the apps your using are getting security hotfixes backported. Since you get all the security fixes and none of the new features that tend to be where new security holes pop up. Combine that with good opsec in general, and your basically good to go.
One thing tho. Some people use them interchangably but is your focus security or privacy? Security being harder for bad actors to exploit something on your system, and privacy being strict control over your data.
Privacy is generally good opsec. This is just for daily use for all things laptop. If focus on security and privacy. But if your secure then nobody can get to your private files ect.
Why not test Secureblue instead of Silverblue?
I didn’t know it existed. Whoops. I will definitely check it out over silver blue.
Fedora’s Anaconda system makes UEFI secure boot easy and ships with SELinux integrated but set to permissive by default. Their built in network filtering tools are pretty easy but I still just use OpenWRT on a separate device. Silverblue was nice for a few years but I switched to Workstation for a machine with Nvidia hw.
I’ve heard good things about work-station. I’ve really been distro shopping and that’s the great thing about the Linux and open source community. Having all the options! That being said I think it’s a big part of the lack of cohesive expansion too. Going too wide instead of deep. So projects don’t last unless their big. Like Ubuntu or Debian etc
deleted by creator
Debian is so old it doesn’t work on very modern hardware… So what your talking about?
Also Ubuntu is not a “server” option. They do have a server option yes. It is the most used desktop or at least was.
Also I used arch for ca 2 years not once needed to use a backup. Even though I abused the hell out of it.
Debian is so old it doesn’t work on very modern hardware
Why is it running on my new MSI Katana?
Old kernel = old drivers. Its that simple… Things might work on a basic level sure. Drivers baked in to the kernel and when you use a damn old version of it you get old drivers and old hardware support.
Everything works. Even the Nvidia drivers work.
I play Final Fantasy XIV on this laptop with no problems.
Are you insane? Debian is a base distro like any other and runs more hardware than any other. It has all of the bootstrapping tools to get hardware working.
Canonical is a server company and Ubuntu server is literally the product.
Arch is absolute garbage for most users unless you have a CS degree or you have entirely too much time on your hands and don’t mind an OS as your life project. Arch abhors tutorial content in all documentation and therefore dumps users into a rabbit hole regularly. Pacman is the worst package manager as it will actively break a system and present the user with the dumbest of choices at random because the maintainers are ultimately sadistic and lackadaisical. Arch is nearly identical to Gentoo with Arch binaries often based on Gentoo builds, yet Gentoo provides relevant instruction and documentation with any changes that require user intervention and does so at a responsible and ethical level that shows kindness, respect, and consideration completely absent from Arch. Arch is a troll by trolls for trolls. I’m more than capable of running it now, but I would never bother with such inconsiderate behavior.
I like stability and cleanliness. Security by default. Least mental load possible long-term.
Excellent breakdown of your desires! FWIW, I definitely resonate with these as well.
I’m currently testing out NIXos. Next will be VanillaOS, 3rd will be Fedora Silverblue.
One simply can’t ignore the fact that these are so-called atomic distros. Which makes a ton of sense considering what you set out for. FWIW, my personal takes on the individual projects are as follows:
- NixOS is pretty excellent. If the epitome of cleanliness is reached with becoming stateless, then there’s simply no other viable alternative.
- For VanillaOS, I feel it has yet to fully realize its promise. Or, at least, hasn’t fulfilled whatever’s required to break into the (relative) ‘mainstream’ for one reason or another.
- Fedora Silverblue has been my daily-driver in some shape or form over the last three years 😅. As such, I’m clearly biased. However, I’d reckon secureblue, i.e. a derivative that goes all-in on security, is actually more interesting for you.
Anyone have good recommendations? Easy backups, stability, security first posture, least maintenance and memory load. I hate getting scattered in symlinks, scripts, and filesystem placing.
Honestly, with Fedora Atomic and Nixos, you’re already considering the very best at the job. Though, for completeness’ sake, consider looking into openSUSE Aeon as well. While I’d argue the other two are currently more interesting, I wouldn’t want to dismiss it altogether.
Beyond these, we find some other distros that miss something crucial for them to be considered a legit candidate/alternative:
- Guix System can put up a decent fight against NixOS and may even sway you over if you’re into lisp. Unfortunately, though, it has yet to receive what flakes brought to the table for NixOS. Don’t get me wrong; Guix’ implementation of channels is vastly superior over Nix’ and therefore Guix System doesn’t gain as much from its (to be) flake counterpart. However, with flakes, NixOS becomes pretty smooth sailing. Like, you can just trust it to work reliably. With Guix, however, it can get ugly sometimes. Which can even lead the biggest Guix proponents back to NixOS…
- Kicksecure is another hardened-by-default distro worth mentioning. Sadly, unlike secureblue, it does nothing with atomicity.
What are some pros and cons of different distros?
This is too broad of a question 😅. If possible, narrow it down to some face-offs you’re particularly interested in. After which I will try to help out if I can. Btw, I ‘found’ this comment that attempts to assign tiers to distros in terms of how they fare security-wise.
What do you daily drive as a power user?
Without going over what a power user is and/or if I would even qualify as such, I’ve been daily-driving secureblue for over a year now.
Give me your thoughts and recommendations! Thanks.
At this point, I think both NixOS and secureblue pose as the most interesting candidates for ya. The former peaks in cleanliness, while the latter peaks in security.
Most major distros are fairly secure by default without things breaking (arch is a exception there, As you got to set that up your self).
If you want to go extreme their is Qubes OS. But you can not swap that across systems like you might want do.
Qubes is good. Not super daily driver friendly. Lots of tweaks needed. I use a laptop like a phone replacement. Banking, apps, messaging, all sorts of usual phone tasks. Also Qubes is too resource heavy on a laptop, it drains the batteries in a couple hours on basic usage. Takes 16 gigs if RAM to run and 32gb to breathe really. Plus 30 ish percent CPU idle roughly on a 12th gen Intel i7.
It’s too heavy to daily, perfect for desktop, just not laptop all day material.
gentoo is secure
I have never played with Gentoo. I will take a look at it. I never really heard about it much.
its pretty nice and the install is pretty easy an portage is very customizble
There is Parrot OS Home edition which is marketed as privacy and security friendly.
I liked Parrot a lot when I tried it. Very easy to use.
Parrot is a pentesting setup, it isn’t practical or appropriate as a daily driver.
“Home Edition: Designed for daily use” - from their website
Something tells me it might be practial for daily use
