cross-posted from: https://sh.itjust.works/post/62361303
Hello good people.
Is no one afraid of Bazzites auto updating nature?
I am myself worried about the potential for well timed supply chain attacks from wherever they build their OS images, which somehow build malicious images or just gets itself into the normal image builds and we auto update to.
Is this an unfounded worry? Does anyone know of the security measures in place to prevent attacks?
Auto update just feels weird to me, especially for something like my OS. I’m asking because I went and installed it and realised auto updating seems to be their philosophy… which is scary?
p.s. i couldnt find anyone online discussing this
Thonks
This is a fair question to ask given recent events. I don’t run Fedora currently, so others could probably give a much more exact answer, but from what I understand of it:
Bazzite is built on top of Fedora with uBlue. To compromise one of the packages, the attacker would have to bypass the Fedora enterprise team who are rage filled roid-driven experts who don’t take kindly to that sort of thing. They heavily secure their stuff. Even if an attack was successful, it would have little lasting effect because of immutability and having access to easy rollbacks.
It’s not impossible (like somehow stealing Bazzite’s keys), but it’s incredibly unlikely. AUR/NPM package sketchiness is not anywhere on the same level as compromising Fedora’s keys.
You’re forgetting that Universal Blue doesn’t just ship Fedora stuff.
They include stuff from Homebrew and Flathub out of the box.
Homebrew shipped the backdoored xz library while (by luck) Fedora stable didn’t.
Thanks for your answer. I have a lot of trust with Fedora, I guess I am more worried specifically about bazzites build process potentially being exploited. Sounding like I am being extra paranoid with Bazzite for maybe no reason
The entire bazzite build process is well documented, the entire pipeline is implemented with standard CNCF and OpenSSF tooling, the readme has crypto verification that you can run to verify it yourself. These systems have been in place since before Universal Blue went GA (It’s about 5y old).
Fedora being a better choice than Homebrew because it’s update pipeline is too slow is not something anyone should be proud of. The Bazzite images run full syft scans before they’re even finally assembled, if it’s in there that second the build fails and users never see it. The entire industry is moving left on this, with proactive work upstream - “keep old things in the field” is an antipattern.
You can chose not to update and stick to a specific image. Check the docs.
O, it looks like you can rebase to a specific version and bazzite won’t attempt auto updating in such cases: https://docs.bazzite.gg/Installing_and_Managing_Software/Updates_Rollbacks_and_Rebasing/rebase_guide/
Thank you, I think that might solve my issue if I can just periodically change my branch to the latest version and pin it there.
Also, not all versions update the same way. e.g.: bazzite-deck vs bazzite have different update mechanisms. Again, docs.
I’ve been ~2.5 years on the same Bazzite install. I Freaking love it. Best computing experience I ever had. I don’t do or learn anything and it just keeps on working perfectly since the day I installed it. Pure Bliss.
This was one of the reasons I went to kinoite. Part of leaving Windows was to get away from all their slop… The other part was to get away all the forced updates. I don’t wanna be forced to update if I don’t want too
Edit: to illustrate your point look at the stories of people who can’t use virilization anymore because they took out virt-manager and QEMU but did a horrible job of telling people and then stuff updated.
Now they rebase to -dx, layer the packages or go someplace else.
Thanks for the answer.
That’s good to be aware of. I was also kinda put a back by a github issue raised by someone who could no longer toggle off auto updates with ujust.
It got solved by them adding the command back, just to be silently broken again by them renaming and subsequently removing it again (still removed as far as I’m aware).
Weird first impression on how quickly things are broken with no alternative.
This is pure operator error, all of these systems are well documented and are literally linux 101. If the response is “how are normal users supposed to?” the answer is normal users don’t use command line tools.
The person saying that they’re switching to Kinoite is in for a rude surprise when they find out that the virt-manager flatpak everyone is migrating to is written and maintained by the Kinoite maintainer, we helped with the QEMU extension because moving this stuff to userspace is something everyone agrees on.
Hopefully you’ve learned that there are people that claim they need super technical things like virt-manager on the image and yet can’t manage a simple linux service. “Forced Updates”. Images like Bazzite are the antithesis for people who want to be experts without putting in the work.
