It really isn’t that different than regular Fedora Atomic. It offers easy toggles for most security features and some convenient utilities to make things easier.

You can just layer persistent malware (like a .rpm from the internet) using rpm-ostree, or rebase to a malicious image, because rpm-ostree doesnt require a password. Atomic doesnt mean basically anything other than you switch out images, it isnt a security feature. Or have persistent malware by creating a systemd user service that runs on login, or a system service which does the same, and does something malicious (exfiltrate data or keylog [yes that is possible on Wayland with LD_PRELOAD trick]). Or modify the use’rs ~/.bashrc and change the path to include something like /tmp or ~/.local/bin and pit a fake sudo binary which takes president over the real sudo and does something (like steal your user password). Or LD_PRELOAD a malicious binary to everything either by adding a line to the .bashrc, or get root and create /etc/ld.so.preload

The list goes on. It isn’t more secure than regular Fedora. It isn’t a (significant) security feature. It doesn’t protect against persistent malware which resides in the user home, etc, or goes unnoticed as a layered package. rpm-ostree can be used to install anything without needing a password. It isn’t secure.

I was specifically responding to at the end where you say it is “super secure” at the end of your comment. It is not a security focused distro. It isnt even (only) a privacy distro. It is an anonymity distro. Fedora is private, but it doesnt store everything in RAM or route everything through Tor, so it isn’t amnesic or anonymity focused.

When compared to Whonix (which is Debian based like Tails) or Secureblue (Fedora Atomic based), Tails doesnt do nearly anything to harden its base other than to strictly proxy the network through Tor, run in RAM, and some default apps.

Fedora Atomic is not more secure than traditional Fedora. That is a misconception.

Qubes, Kicksecure/Whonix, and Secureblue are basically the only major security focused Linux distros.

Tails is focused on anonymity, not simply privacy (same with Whonix). Tails is not really security hardened.

Tails isn’t really a security focused distro, no significant kernel or other security hardening. It is amnesic. Whonix (based on Kicksecure) is security hardened but still based on Debian which isn’t great for a security base.

Secureblue is what I would recommend because it a security focused Linux distro that benefits from Fedora’s SELinux, and has a bunch of its own additions.

QubesOS is obviously the best for security. Combine that with a Whonix or Secureblue guest OS and you’re perfect.

The eye develop from brain tissue, so I wouldn’t be so sure …

QUIK SMS implements turning “blank liked message” into the proper format, but that still doesnt allow sending emoji reactions.

I was pretty sure that RCS id centralized and requires using the existing infrastructure, which requires some contract with Google or other providers.

Either way, no open source Messenger (that I know of) exists which supports RCS.

GrapheneOS. It gets updates and security patches quickly, it fully removes dependency on Google services (unlike any of the others you mentioned), and it is heavily deblobbed of proprietary blobs. It is rock solid. Here is a comparison table from a trusted third-party: https://eylenburg.github.io/android_comparison.htm

All of those apps will work, just install Sandboxed Google Play. Install company apps either in a Private Space or a separate user to isolate them. I recommend putting all Gapps (play store apps) in a Private Space.

That is why I said sending them. You can’t send reactions that people can also see without RCS. QUIK SMS converts received reactions into the proper format but still can’t send them.

Sending them requires the proprietary RCS protocol. Only google messages and a couple others can do it. Infrastructure for RCS is owned by Google, Apple, and some carriers IIRC

Note: iode is often a month or more behind on Android security patches.

QKSMS has been dead for years. QUIK SMS is a revival QKSMS: https://f-droid.org/packages/dev.octoshrimpy.quik.fdroid

Here is the link to UAD-ng: https://github.com/Universal-Debloater-Alliance/universal-android-debloater-next-generation/

Funnily enough OpenRC is probably the slowest of the inits offered by Artix. The current best in both features and stability are Dinit and s6. Dinit is far more user friendly. Both boot ~20% faster than the others, and much faster than systemd. Generally though, simplicity without expense to features is what Dinit and s6+66 excel at.

Gentoo wiki page comparing inits: https://wiki.gentoo.org/wiki/Comparison_of_init_systems

From the Dinit developer: https://github.com/davmac314/dinit/blob/master/doc/COMPARISON

Distrobox is design to be the opposite of confined. Its goal is integration. The container is stripped away as much as possible to allow for sharing host resources.

As it says on the Distrobox website:

Security implications

Isolation and sandboxing are not the main aims of the project, on the contrary it aims to tightly integrate the container with the host. The container will have complete access to your home, pen drive, and so on, so do not expect it to be highly sandboxed like a plain docker/podman container or a Flatpak.

I would also argue calling “plain docker/podman container or a Flatpak” being “highly sandboxed” is also quite wrong and a misuse of those technology.

It uses Docker/Podman which is not a security sandbox. The purpose is app containers, not a security boundary. It shares the sane kernel as the host, which makes kernel vulnerabilities a source of container escapes. Docker (the default) runs as root and could be a source of privilege escalation. Best case is use gVisor or SELinux. Still not a secure sandbox.

Similar problems with Flatpak. Not a secure sandbox. Doesn’t Barely filters syscalls (and in a general way instead of per-app), barely reduces attack surface, granting frequently required permissions often significantly reduces the strength of the sandbox, shares a kernel with the host (and no application kernel like gVisor or sydbox), weak use MAC (like SELinux). Most of this can also be said of the previous 2 container software (and also LXC/LXD/Incus).

Also, don’t use browsers with Flatpak, they have a significantly weaker sandbox because it is missing a layer of sandboxing (namespaces). This makes attack exponential more likely by reducing the need chain another major vulnerability to execute a successful sandbox break.

What you want is a VM. It is designed to be a secure sandbox but needs some configuring.

Anything really. Just use Docker/Podman or LXC and then the base OS won’t matter.

• Ubuntu is still fine
• Debian I have personally used and it is good
• I used openSUSE Slowroll for a while as well
• Fedora server is just as good as RHEL derivatives IMO

Next thing I am looking at is secureblue for Fedora CoreOS. Security matters and a rock solid base with hardened defaults is really nice. It also is Atomic and because it is effectively just CoreOS, you install it with a JSON file (I think). Using the provided example butane file it took like 30 seconds to install. Now I need to customize it further.

There is no privacy without security. Android is one of the most widely exploited OSes and every month a dozen or more critical severity vulnerabilities are patched. Being 1-2 months behind on security patches is inexcusable for a privacy project.

https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/

OpenPGP for encryption through autocrypt is a BIG NO for me. OpenPGP is inherently flawed, read any reasonable cryptographer’s opinions on it. DeltaChat is a significant security downgrade from Signal. I would much rather use SimpleX or Briar.

openSUSE Slowroll and Secureblue are my favorites ATM. Slowroll for gaming, Secureblue for mobile device. Both are hardened for security because that matters to me.