I have daily driven (a) Fedora(-based distro) ever since I started using Linux. So I’m absolutely biased towards it. However, as Fedora is a semi-rolling release distro that really likes offline updates that involves a reboot, it simply falls flat when it comes to satisfying OP’s needs. They would have a very similar experience to their current one with openSUSE Tumbleweed, the very same they actively want to get rid of.

As such, this distribution would need to be able to handle running for weeks on end without a reboot.

So, it has to be something stable (i.e. receive little to no updates) that’s capable of updating without requiring a reboot. That makes any stable distro a candidate. As such, choose either:

• Debian or something based on it
• Gentoo (stable branch)
• Nixos (stable channel)
• openSUSE Leap
• Ubuntu or something based on it

As I noted in the footnotes of this comment, Qubes OS is technically not a Linux distro as it’s based on Xen instead. But yeah, it’s without a doubt the gold standard when it comes to secure by default desktop operating systems; far surpassing even Kicksecure and secureblue.

As for Tails, while its amnesiac property is excellent for protection against forensics, it’s not meant as a daily driver for general computing; which was also touched upon in the aforementioned footnotes.

For this writing, I’ll focus on the OOTB experience. Furthermore, a daily driver for general use is assumed. I’ll also try to keep it (relatively) brief and concise for the sake of brevity. The tier list found below goes from worst to best.

• Tier -1 : Actively detrimental distros. Joke/meme distros, abandoned/discontinued projects and even outright malicious products. Simply don’t use for production. The likes of Hannah Montana Linux and Red Star OS comes to mind.
• Tier 0 : Unopinionated distros. These should be regarded as blank canvases from which it’s expected that you meld and forge it to your liking. As such, at least by default, they offer nothing in this regard. However, it’s possible to build a fortress if you wish. Both Arch and Gentoo fall under this category.
• Tier 1 : Distros that have put in some work into security, but ultimately fall short. These distributions include security features and maintain regular updates, but their implementation choices can introduce security compromises. This tier often includes derivatives that modify their parent distribution’s security model, sometimes prioritizing convenience over security best practices. While it may be suitable for general use, they may not provide the same security guarantees as their upstream sources.
• Tier 2 : Distros with sane security defaults that rely on backports for their security updates. These distributions prioritize stability while maintaining security through careful backporting of security fixes. Rather than updating entire packages, they selectively patch security vulnerabilities into their stable versions. This approach provides a good balance of security and stability, though it means newer security features might take longer to arrive (if at all). Debian and Ubuntu are prime examples of this.
• Tier 3 : Distros with excellent security defaults and a (semi-)rolling release. For most normies, this is as secure as it needs to be. As it’s on a (semi-)rolling release, it receives security updates as soon as they come. Furthermore, this also allows them to benefit from new security features as soon as they appear. Curiously, the two distros that most resonate with this, i.e. Fedora and openSUSE Tumbleweed, are also known to innovate (and thus are pack leaders) when it comes to security solutions. FWIW, their respective atomic/immutable distros also belong in this tier.
• Tier 4 : Security-first distros. The crème de la crème. These are probably overkill for most people. This is also the first (and only) tier that may sacrifice usability and function for the sake of security. If your highest priority is security, then you can’t go wrong with this one. Kicksecure and secureblue are its flag bearers.

I’d personally grant Linux Mint a position in tier 2, though perhaps others would go with tier 1 instead. As such, a step-up would be a distro from either Fedora or openSUSE.

Thanks for the clarification!

If you trust both the source and the file, then downloading by itself shouldn’t constitute a problem. Supply-chain attacks are still possible, but that’s a hard problem to solve anyways. I suppose I’d only trust Qubes OS to handle that gracefully.

For general browsing, GrapheneOS-folk would advice against Firefox(-based browsers). Instead, they’d recommend (something based on) Chromium. Personally, I do follow that advice. But I understand if you’d like to stick to Firefox(-based browsers).

Coming back to Linux Mint, I won’t go over my (personal) qualms with the security model of the distros it’s based on. But as Linux Mint offers one of the best onboarding experiences, it would be a disservice to lead you elsewhere. Become comfortable with Linux through it. And, perhaps one day, if you feel like venturing elsewhere, you can try out distros that offer better security. Thankfully, Linux Mint’s OOTB security should be sufficient until then.

As for the article, everything except for the fourth recommendation is a W. Utilizing ClamAV could be cool, but it’s based on a very naive understanding. You wouldn’t want an untrusted file on your system in the first place. Obviously, a lot more mileage^[1] is possible. But one has to learn to walk before they can run 😉.

1. Note that the information and instructions found on the excellent ArchWiki often work on and/or apply to other distros as well.

GNU-Linux hardening is useless

This opinion isn’t shared by the author in their actions, as they are known for their contributions to Whonix; both as a security researcher (by their own admission) and (are to this day accredited) as a developer.

Is this a good list?

The link definitely provides some good info. It’s better than nothing. However, it may or may not fall short based on how secure you’d like to make your system.

Anything else I should do to secure a Mint install?

What is it you’re trying to protect and from whom? Whenever the topic of security comes up, one simply can’t engage meaningfully without mentioning a threat model.

In this case, I’ll assume you’re just your average Joe. And, depending on how you engage with your system, Linux Mint might be fit from the get-go. However, if you actively engage in downloading random jank from the internet and have ‘survived’ with the help of Microsoft Defender Antivirus, then you should know that a safety net as such doesn’t exist over on this side. Sure, security through obscurity might save your ass a couple of times. But it’s inevitably a losing battle.

So, without knowing your threat model, note the following important advice that the article somehow hasn’t touched upon:

• Know that you, the user, are the largest attack surface. Even if some distros like Fedora and openSUSE (with the latter AFAIK scoring the best^[1] according to Lynis) actually put in great work to offer pretty secure systems, they absolutely won’t be able to protect you against yourself.

1. It’s important to mention that this excludes security-first distros like Kicksecure and secureblue. Nor is Qubes OS considered as it’s technically not even a Linux distro. Other distros like Tails or Whonix are also not considered as they’re not meant to be used as daily drivers and/or for general use.

Yes and no.

Has it got its own set of rules you’d have to learn and thus an accompanying learning curve bump? Sure. Which, in actuality is mostly just knowing that Flatseal is your go-to whenever a flatpak causes issues.

Is it a surefire method after you’ve become accustomed with it? Absolutely. All kinds of jankiness can prevent any piece of software from working on your system. With Flatpak, especially on distros that enable it by default, you at least know that your system isn’t the culprit.

Besides, Flatpak is enabled by default on Linux Mint. The PCSX2 flatpak is even verified. So no additional setting up or whatsoever is required.

What makes you weary besides what’s already stated above?

Unfortunately, I don’t know either. From my understanding, X11 as a whole is supported. Therefore, you should be able to hack your way through this. I suppose the installation instructions for Ubuntu should closely align to what’s required for Debian. So that’s your starting point.

what does the community think of it?

It’s important to note how the Linux community interacts with change. In the past, whenever a change has been significant enough to influence individual workflows, it often provoked strong reactions. This was evident when systemd was introduced and adopted by distros like Arch and Debian. Even though systemd was arguably superior in essential aspects for most users, it failed to meet the needs of at least a vocal minority. Consequently, community endeavors were set up to enable the use of Debian or Arch without systemd.

Similarly, the introduction of immutable distributions seems to upset some people, though (at least to me) it’s unjustified. Immutable distributions don’t necessarily alter the traditional model. For instance, the existence of Fedora Silverblue doesn’t impose changes on traditional Fedora; let alone Arch or Debian.

But, overall, most Linux users aren’t bothered by it. Though, they often don’t see a use for themselves. Personally, I attribute this at least in part to existing misconceptions and misinformation on the subject matter. Though, still, a minority^[1] (at best ~10%) actually prefers and uses ‘immutable’ distros.

Do the downsides outweigh the benefits or vice versa?

Depends entirely on what you want out of your system. For me, they absolutely do. But it’s important to note that the most important thing they impose on the user is the paradigm shift that comes with going ‘immutable’. And this is actually what traditional Linux users are most bothered by. But if you’re unfamiliar with Linux conventions, then you probably won’t even notice.

As a side note, it’s perhaps important to note that the similarities between traditional distros are greater than the similarities between immutable distros. Also, Fedora Atomic is much more like traditional Fedora than it is similar to, say, openSUSE Aeon or Vanilla OS. Grouping them together as if they are a cohesive group with very similar attributes is misleading. Of course, they share a few traits, but overall, the differences are far more pronounced.

Therefore, it is a false dichotomy to simply label them as traditional distros versus immutable distros. Beyond these names, which we have assigned to them, these labels don’t actually adequately explain how these systems work, how they interact, how their immutability is achieved (if at all), what underlying technologies they use, or how they manage user interactions. The implications of the above. Etc.

Could this help Linux reach more mainstream audiences?

The success of the Steam Deck and its SteamOS are the most striking and clear proof of this. So, yes. Absolutely.

1. Not accounting SteamOS users.

Nixos tends to lean on the term reproducible instead of immutable, because you can have settings (e.g files in /etc & ~/.config) changed outside of nix’s purview, it just won’t be reproducible and may be overwritten by nix.

Interesting. If possible, could you more explicitly draw comparisons on how this isn’t quite the same over on say Fedora Atomic? Like, sure changes of /etc are (at least by default) being kept track of. But you indeed can change it. libostree doesn’t even care what you do in your home folder. Thus, changes to e.g. ~/.config (and everything else in /var^[1]) are kept nowhere else by default.

1. Which happens to be more crowded than on other distros as folders like /opt are actually found here as well.

In your opinion, when can we refer to a distro as being immutable? How do you regard the likes of Fedora Atomic, openSUSE Aeon or Vanilla OS? Are any of these immutable in your opinion?

Ah, I get what you mean now by inflammatory statements

Actually, it wasn’t me that said that 😅. I do find it in jrgd’s reply, though.

Though interestingly, I didn’t feel my comment was very inflammatory and it got downvoted too. 😅

For the record, I also didn’t downvote your comment 😜. Though, looking at how well-received my previous reply has been, I can’t ignore the possibility that peeps that agreed with what I said also chose to downvote your comment.

I was looking at it more from just a standpoint of systemd itself

Sorry, I don’t think I completely understood you here.

just looking at it from the standpoint that fedora and rhel can tend to be industry leaders for change.

I absolutely agree with you that Fedora and Red Hat are very effective agents of change. So yes, if they would get behind an alternative for systemd, then that would definitely get traction.

if RHEL and Ubuntu together made

Has something like this ever happened in the past? I can’t recollect a collaboration of sorts between these two entities. If anything, they seem to be at odds with eachother: Mir vs Wayland, Snap vs Flatpak and even Upstart vs systemd. Though, at least so far, Red Hat holds an impressive winning track record.

I think we would see that move downstream.

Absolutely. But, and this is my inner-systemd-skeptic talking, systemd is ridiculously intertwined with the current Linux landscape and often times new updates even show a glimpse of how much more intermingling we’ll get in the future. I hope we’ll eventually get something to systemd like what PipeWire has been to PulseAudio. That’s why development into alternatives like dinit and s6 is of utmost importance.

As far as my use of the term bloated, I’m looking at it strictly from a standpoint for the amount of code that goes into the system.

Suckless it is 😜. It’s a fine definition. Thank you for that. But, I got to ask, where is the line drawn? Like, the Linux kernel, by virtue of being monolithic, has to be bloated as well. Right? So, if that’s the case, is somehow the kernel’s bloat okay while bloat is unaccepted for the system and service manager? If so, why? I’m genuinely curious.

The more code you have, the more entries for security risks.

Sure~ish. Deep discussion. I’m fine with giving this to ya.

I’m not saying that there’s anything that’s particularly better out there right now

I suppose some peeps will enjoy themselves with what’s out there. Do you happen to use an alternative on a daily-basis?

but I think we should always be looking for alternatives regardless of what your views are for the people that created the code. KISS philosophy, basically. That and being open to change to avoid stagnation.

Wholeheartedly agree 😊.

Aight, got it.

For now, I’m exclusively on Wayland. Though, hopefully Openbox (or something inspired by it) will make the jump so that I can see for myself what all this goodness is about.

Anyhow, it was a lovely conversation. I enjoyed it to bits. I wish ya tha best. Cya, out there. Bye!

Do you have a link for these instructions?

In addition to the template linked by dustyData, there’s also BlueBuild if you prefer YAML over containerfiles.

Very enlightening! Thank you so much!

mouse-centric

This is actually unfortunate for me. I seem to be prone to RSI related aches. Keyboard is fine~ish. But mouse can be pretty troublesome. Do you happen to know if it plays nice with trackballs and/or trackpads?

enabling a lot of the privacy features like resist fingerprinting often breaks login flows

True. Though, in this case, it’s only enabled on hardened. So, the default config doesn’t enable it.

and breaks dark mode detection on site

Yeah, that’s really unfortunate. I suppose there’s Dark Reader. But, I believe Arkenfox’ maintainers held the opinion that a bandaid solution as such did more harm then worth it. At least for those that enable RFP for the sake of fingerprint protection.

Thanks for sharing.

Thanks for the appreciation!

Our goal is to continue the legacy of Mull by providing a free and open source, privacy and security-oriented web browser for daily use.

Do you work on IronFox?

Do you think I could run secure blue from a USB drive?

I’m not sure if it’s exactly the same, but Jorge Castro (one of uBlue’s maintainers) showed how some uBlue projects (perhaps this also applies to secureblue) can be installed on an external drive. Perhaps it’s worth a look: https://www.youtube.com/watch?v=5DRaYQ6hKU0

I didn’t downvote myself, but did consider it.

For one, it felt a bit out of place; Fedora isn’t defined by systemd, nor Red Hat or IBM. One clear example would be how Fedora has chosen to stick with Btrfs; contrary to Red Hat’s demands. Don’t get me wrong, I don’t deny any partnership or whatsoever. But it’s not like Fedora’s community has no agency.

Secondly, corsicanguppy’s comment seems to imply that Fedora only sticks to systemd out of some obligation towards IBM/RedHat or something. As if the overwhelming majority of distros don’t default to systemd.

Thirdly, Poettering works for M$ now. Sure. But systemd remains a Linux project. And quite a good one at that. Even if the likes of dinit and s6 are starting to offer some healthy competition, it’s undeniable that systemd continues to have the advantage in terms of received man-hours (in development) and adoption. I hope that Fedora eventually gives others the chance to shine. But outright ditching systemd without a perfect replacement is just foolish.

Systemd is bloated

The bloat argument has absolutely no weight as long it’s not properly defined. One’s bloat is the other’s sane default and vice versa. Please, if you’re engaging in good faith, come up with a definition by which the likes of dinit and/or s6 are not bloated while systemd is. Please be complete and rigorous in your assessment.

and known to present security risks.

If you’re referring to what’s addressed in Madaidan’s article, you should not forget that Whonix -the very distro Madaidan used to be a security researcher at- employed systemd to enhance security. And while one might say a lot about Poettering, one simply can’t deny that they’ve got a sound understanding of good security standards and how to implement them. It’s therefore unsurprising that both Kicksecure and secureblue (i.e. Linux’ finest when it comes to hardened distros) heavily rely on systemd for their bidding.

Don’t see why looking at alternatives wouldn’t be seen as positive growth.

At least we can agree on this 😉.