So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.
My priorities are:
- Using Linux.
- Using Firefox.
- Security, within reason.
- Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).
My options are:
- Fedora Kinoite
- Fedora KDE with some hardening
- Secureblue
My needs are:
- Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
- Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
- Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
- Sound: Bluetooth headphones, Sound, Printing (Optional)
I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.
On Firefox:
- I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
- Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
- In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
- Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
- I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).
Security goals:
- I want to make sure the software I install to not have access to anything it doesn’t need to.
- I want to make sure that any website I visit won’t be able to access my file system.
- I want to make sure that my browser extensions won’t be able to access my file system.
- I want to use a distro that’s somewhat resilient against supply chain attacks.
- Proximity to upstream for timely security patches.
I’ve been on secureblue for months. It has it’s quirks but I don’t see anything in your post that would be a problem. You can turn off hardened-malloc on a case by case basis if needed, and this is especially easy for Flatpaks.
You can try secureblue and if it does not fit your use cases try Fedora and tinker a bit with bubblejail and other hardening yourself, with that you will learn a lot which is even more valuable than just using a secure os. As far as I know Fedora uses SELinux already which is pretty good.
If you depend on a secureos to protect your life/assets against threat actors like states or any other organisation with massive amount of people and or time/money then the answere will be very complicated and I would suggest talking with a professional consultant because the correct answere can very on many little factors. SecureBlue or QubesOS are fine, no PC and only GrapheneOS even better.
If you depend on a secureos to protect your identity against threat actors like states… …the answere will be completly different since privacy and security can be complimentary goals. TailsOS is suitable in this case.
Basically what I’ve learnt with this thread is the same thing anyone learns when asking which distro to pick, “it doesn’t matter, just pick one”.
It does not matter in the sense of distro hopping because most people are hopping without a goal, or if they have a goal the goal is possible with the current solution too.
But in this case its different. You have a goal and security has its requirements. If you want to protect against supply chain attacks, using Arch Linux would be a risk for example.
It always depends. Your goal is security and you found out about secureblue. Alone with that you are far ahead of elses people who only hop distros for no reason.
secureblue is pretty good, fully recommend. immutables take a lot of the effort out of things
Secureblue isn’t immutable though.
It’s not atomic or cloud native either if you want to be strict with definitions.
yeah i know all the semantics around this. it is nice though.
Fedora is fine for the specifics you mentioned. If for some reason you feel the need to go immutable later, SB is alright-ish.
I heard that the sandbox on Fedora (and all major distros) is relatively weak, and pulseaudio is a known escape vector for webpage malware. So I’m not 100% Fedora is reasonably secure.
SB isn’t immutable BTW. I wish it was because I like the idea of immutable distros (for people who don’t use Arch) but it isn’t.
Fedora was one of the first to get rid of pulseaudio and replace it with Pipewire, so that shouldn’t be an issue.
Absolutely not true 🤣🤣
Where’d you hear this?
Also, Silver blue is immutable. You are just full of bad info, bud.
What do you mean by sandbox here? Fedora has selinux by default which adds an extra layer of security. If you really want a “sandbox” qubes is probably the way to go. It runs everything in virtual machines, so if there was a browser escape they would still have to eacape the vm. It would be an very sophisticated attack and nothing you have to worry about.
And pulseaudio is fine lol what you’re describing would certainly be assigned a cve and the only cves for pulseaudio are all denial of service except for some back in 2009.
By Sandbox I mean that the apps I install should only have access to the files in a dedicated directory. Mullvad seems to do this on Kubuntu, there’s a .mullvad-browser folder in my home directory and whenever I try to upload or download an image using it I find myself unable to navigate away and instead need to use my file manager to do so.
I’m not really interested in QubesOS. As above my first priority is running Linux and while the virtualization in QubesOS interests me it’s not an operating system I want to use.
I heard the pulseaudio thing from this source https://profincognito.me/blog/security/browser-engine-security-comparison/ although it was uncited so it may be BS.
