1. Does Silverblue being immutable has an effect on security, or is it more about stability and reliability?

  2. Is it possible to have Nvidia drivers with Secure Boot on Silverblue, and how?

Thanks a lot!

  • @[email protected]
    link
    fedilink
    2
    edit-2
    10 months ago

    Fedora Atomic is not secure. In fact if you would somehow install malicious RPMs, or a program would do so, only on Atomic they can do so without a password.

    This is crazy and you can change the polkit file manually, I have no idea when this will be implemented.

    https://gitlab.com/fedora/ostree/sig/-/issues/7

    Apart from that, SELinux does not affect the user programs, Desktop and home filesystem. You and any program can execute any script it wants, place an autostart file in your home directory etc.

    As long as the home directory allows arbitrary scripts, it is very vulnerable to exploits.

    Also, your ~/.bashrc (or the other Shell configs) is writable, so any program can alias what sudo does and thus catch your password.

    Or your ~/.local/bin, ~/.local/share/applications/ etc. all being writable, this also means any program can pretend to be Firefox for example but catch your passwords (tbh by default any program can read your Firefox passwords, use a masterpassword people)

    This me Same with your ~/.ssh and ~/.gnupg keys being readable.

    I second on Secureblue, it works well. Firefox is removed, even though its insecurity is debateable. You can use the Flatpak or build it yourself:

    https://github.com/trytomakeyouprivate/Firefox-hardened

    Keep an eye on that repo, I will update it when I found out how to build release versions lol.

    Also note that you will want to use userns images of Secureblue to have Podman/Docker working.

    • boredsquirrel
      link
      fedilink
      18 months ago

      Edit (new account)

      I will not use Secureblue anymore in the future, but it is a very useful project. Also note that only the permissionless RPM package installations make it less secure than traditional desktops, and I opened PRs for that. Will need a change request poorly, and I was too late for 40, so this may end up in 41… pretty bad