I like them a lot, switched to Kinoite⏩uBlue: (Kinoite-main, -nokmods (until that got silently dropped), -main again; 37-39)⏩Secureblue kinoite-laptop-userns
The biggest Problem is that Fedoras Images are not usable.
Filemanager movie thumbnails dont work
Flatpak browsers are not feature-complete and probably not secure (because they can’t create usernamespace-isolated processes for tabs)
they have no NVIDIA support
powerusers will miss ffmpeg
The idea of immutable images is, to have a base that most people dont need to change. You can, but the moment you add NVIDIA proprietary drivers or full ffmpeg, you are in unprotected territory again.
So I like the Distros for their reproducible bugs and future possibility to be a very secure base (you could just verify the hash of the root system to check for viruses). But they cannot be produced in the US.
Fedora is nice but just like with rpmfusion, ublue is the key part that makes it work. And on immutable images this cannot just be added in a welcome dialog, as you need massive overrides by default.
I can’t find an open issue regarding security with flatpaks on librewolf https://codeberg.org/librewolf/issues/issues it would be nice if you could open one such that it may get adressed.
Just install ffmpeg in a distrobox or layer it if you desire
Filemanager thumbnails - I usually don’t use big icons (or thumbnails) hence, I don’t remember it too well but that should depend on the file manager, right? And aren’t there tools for thumbnail creation in case they are missing? (I remember something from my time when I used arch)
You cant layer ffmpeg, you need to override-remove everything libav and then install everything new from rpmfusion. I did that, its a mess.
If you just want video playback thats just libavcodec-freeworld, thats why I specifically mentioned ffmpeg.
I am not a fan of Distrobox for small tools. For sure possible but unnecessary and the workflow is a pain. And trust me, I use it daily and even ran libvirt in a rootful one, virt-manager in a rootless one, connected over ssh.
Chromium uses namespaces. Nowadays unprivileged user namespaces, but the legacy suid namespaces are still integrated.
If you want to run Chromium (and I think all Electron apps too) as Flatpak, you replace those namespaces with zypak, which instead isolates processes using flatpak and its seccomp filters.
These are the seccomp filters for every app though, so they are probably way too unrestricted. Also it has a small performance hit.
That is the reason why no Chromium Browser Flatpak is official.
Now the thing with Firefox is, I have no idea what isolation they use. Everyone says its less secure. And they adopted Flatpak as if it was nothing, without any comment on that topic.
The issue is that Flatpak uses a single seccomp filter for bubblewrap, that is used by every app. But browsers would need a different one, with just the added permission to create user namespaces.
Currently this is not even possible when using a seperate repo. Really, no idea. Bubblejail is an alternative with custom seccomp filters and usernamespace permission. But it is very different, uses system packages and is very alpha.
I like them a lot, switched to Kinoite⏩uBlue: (Kinoite-main, -nokmods (until that got silently dropped), -main again; 37-39)⏩Secureblue kinoite-laptop-userns
The biggest Problem is that Fedoras Images are not usable.
The idea of immutable images is, to have a base that most people dont need to change. You can, but the moment you add NVIDIA proprietary drivers or full ffmpeg, you are in unprotected territory again.
So I like the Distros for their reproducible bugs and future possibility to be a very secure base (you could just verify the hash of the root system to check for viruses). But they cannot be produced in the US.
Fedora is nice but just like with rpmfusion, ublue is the key part that makes it work. And on immutable images this cannot just be added in a welcome dialog, as you need massive overrides by default.
I can’t find an open issue regarding security with flatpaks on librewolf https://codeberg.org/librewolf/issues/issues it would be nice if you could open one such that it may get adressed.
Just install ffmpeg in a distrobox or layer it if you desire
There’s at least Fedora atomic with nvidia https://github.com/ublue-os/nvidia
Filemanager thumbnails - I usually don’t use big icons (or thumbnails) hence, I don’t remember it too well but that should depend on the file manager, right? And aren’t there tools for thumbnail creation in case they are missing? (I remember something from my time when I used arch)
You cant layer ffmpeg, you need to override-remove everything
libavand then install everything new from rpmfusion. I did that, its a mess.If you just want video playback thats just
libavcodec-freeworld, thats why I specifically mentioned ffmpeg.I am not a fan of Distrobox for small tools. For sure possible but unnecessary and the workflow is a pain. And trust me, I use it daily and even ran libvirt in a rootful one, virt-manager in a rootless one, connected over ssh.
My point was that Fedoras product is unusable. Ublue is the solution, their main images are basically Fedora Atomic but fixed.
No thats
libavcodec-freeworldandffmpegthumbs. Most movies you find on the open sea are not in libre Codecs.And the Flatpak browser thing is complicated.
Chromium uses namespaces. Nowadays unprivileged user namespaces, but the legacy suid namespaces are still integrated.
If you want to run Chromium (and I think all Electron apps too) as Flatpak, you replace those namespaces with zypak, which instead isolates processes using flatpak and its seccomp filters.
These are the seccomp filters for every app though, so they are probably way too unrestricted. Also it has a small performance hit.
That is the reason why no Chromium Browser Flatpak is official.
Now the thing with Firefox is, I have no idea what isolation they use. Everyone says its less secure. And they adopted Flatpak as if it was nothing, without any comment on that topic.
The issue is that Flatpak uses a single seccomp filter for bubblewrap, that is used by every app. But browsers would need a different one, with just the added permission to create user namespaces.
Currently this is not even possible when using a seperate repo. Really, no idea. Bubblejail is an alternative with custom seccomp filters and usernamespace permission. But it is very different, uses system packages and is very alpha.