So I took the plunge and installed Fedora Silverblue because of all that immutable buzz. And it’s the most frustrating change I have made in almost 20 years of my distrohopping....
I always use all:unset in my css files and I did the same when configuring the swaync notification but somehow when using it inside global selector *{} it doesn’t show the volumeslider which is shows in a notification, related pictures will be attached. I wanna use all:unset and so I want to know how to re-enable volumeslider...
I just installed EndeavorOS on an HP Spectre360 that’s roughly 2 years old. I am honestly surprised at how easy it went. If you google it, you’ll get a lot of “lol good luck installing linux on that” type posts - so I was ready for a battle....
libseccomp is a long established security “firewall for syscalls”, it allows to restrict what actions programs can perform on the system.
I dont know what exactly these are, often low level stuff I guess, but one of these actions is “create an unprivileged user namespace”.
Flatpak uses a single, “badness enumerating” seccomp filter, which means they block the syscalls “A”, “B” and “C” for all programs. All others are allowed, and (see the issue) programs cannot define a more restrictive one.
user namespaces
A namespace is a virtual filesystem on top of the “real” one, where certain real system files are mounted to. This means unprivileged programs can suddenly do “OS stuff”, needed to create this filesystem.
contra user namespaces
Many distros like Debian (and Arch) didnt enable this feature for a long time, because user namespaces mean that unprivileged userspace programs, like your browser, can suddenly access low level system components like the filesystem.
If there now is a bug in such a component, user namespaces allow the program to directly access a way more privileged area, escape here and thus have privilege escalation.
This would not be possible when not using user namespaces.
Flatpak has a seccomp filter that blocks the creation of user namespaces, to avoid this low level system access. Which is a very good thing, but the missing modularity doesnt allow anything else!
pro usernamespaces
Over time even slow pacing distros like Debian enabled user namespaces.
Today they are the core feature of bubblewrap, podman, docker, (and thus distrobox and toolbox)…
The concept is that a rootless binary, running in userspace, can access system components which would normally require root.
Firejail is the opposite example, it is a root binary and sandboxes apps also when user namespaces are disabled. Chromium has a fallback suid sandbox which also is a root, same with bubblewrap after the modification by 34N0 implemented in the “no userns” images of secureblue.
The problem is, a root binary has root access. If there is a flaw in it, which was the case with firejail, the “nice and secure isolated app” could now use the root binary to escalate its privileges to root level, more than what it could have done without it.
Browsers and Sandboxes
A browser is basically a platform to run “apps” on. Nearly all websites nowadays require executable code, which means browsers are the attack surface for malware. Scrap your verified Flathub or well maintained distro repository, a single website could use a weakness and break your system.
This was a thing back in the time… crazy huh?
Chromium (Chrome, Edge, Brave, Vivaldi, Opera, …) has the said rootful sandbox as a fallback, I guess implemented back when user namespace sandboxes were not adopted enough.
But is normally uses a user namespace sandbox for process isolation, every tab runs in a different process, on Android too.
Firefox also uses user namespace sandboxes for tabs, but additionally uses seccomp-bpf to restrict the syscalls that the isolated tabs/processes can execute.
Flatpak and Chromium
Chromium relies exclusively on the ability to create sandboxes, with a root binary (the strange not really used fallback method) or with user namespaces.
So much that it straight up doesnt run if it cannot do that. The same goes for Electron apps, which are a browser platform running a single or very few processes.
This is why zypak was created. It redirects the calls of Chromium to flatpak, so it uses the builtin Flatpak sandbox instead.
As I said, all Flatpak apps (and thus all processes) use the same seccomp filter, so I assume that zypak is less secure than the native sandbox, which is battle tested by Google, Microsoft and more companies.
But it uses a sandbox, it is rootless and uses user namespaces. It just needs a little testing, a security audit, a bit of pentesting.
At the current stage I would honestly not trust it, so Flatpak Chromium browsers are not recommended for “production”.
Right now we just fork(), so replacing that with flatpak-spawn would cause a massive increase in memory usage? You would no longer have CoW sharing of memory.
So Firefox would need big architectural changes to support a sandbox like Flatpak’s. It uses copy-on-write to save Memory and be more efficient.
For some reason Chromium works just fine with zypak.
it’s not clear to me the “Flatpak Sandbox” it’s creating is comparable to what we have now (even with just seccomp-bpf). We launch our subprocesses with specific, nailed down sandboxes.
They should absolutely compare their seccomp filters. But this indicates the same issue as the one at the beginning, always using the same seccomp filter is not suited for an entire platform like a browser.
Fair usage in Flatpak
To sum it up:
Electron apps are likely fine to be ran as Flatpaks. The zypak sandbox may not isolate the processes from another as well as the normal one does, but they are controlled and known code.
Electron uses Chromium because of laziness, not because it needs the security of the platform. Daniel Micay, the creator of GrapheneOS, would also list a few very technical things why Electron has crippled security features of Chromium.
Thunderbird is using Firefox similar to Electron, just as a platform for known code, so this will be fair too.
Flatpak Firefox… is probably okay secure. If you use UBlock Origin with some filterlists, and an opt-in NoScript setup (which I highly recommend for privacy and security), the risk is even lower.
But the risk is literally getting malware, losing all your data, getting breached or intruded. So why leave out this security measurement.
But, its true, Flatpak isolates the browsers from the system, which is really nice. If there is a weakness in the browser platform, a process could not just escalate and access everything Firefox can.
Bubblejail
So isolating the browser from the system using Bubblewrap, a modern and rootless sandboxing tool, sounds like a good idea.
The only issue is the always-the-same seccomp filter. The best solution would be a fix for the issue at the beginning, but for now we can use bubblejail.
It is a tool that makes the creation of bubblewrap and seccomp filters easy, and adds Desktop entries to launch existing apps through that sandbox.
For some reason it doesnt work at all anymore for me… but it did in the past. It is certainly not ready, but with some helping hands it can fix all the gaps, where system apps are needed for certain abilities.
May that me a VPN app, Nextcloud-client adding icons to your task manager, an IDE like VSCodium, Zed, Lapce, Kate… or isolating all your system apps!
So currently I use Fedora Firefox, which is very well maintained and checked for security build flags.
I will continue making bubblejail work, which will be a good solution for this problem.
Hi all, the private school I work at has a tonne of old windows 7/8 era desktops in a student library. The place really needs upgrades but they never seem to prioritise replacing these machines. Ive installed Linux on some older laptops of mine and was wondering if you all think it would be worth throwing a light Linux distro on...
The hardware is totally fine, Linux requirements didnt really change at all in the last years.
KDE Plasma is a really well maintained desktop, poorly also with a ton of customization. It has a very familiar user experience. GNOME is also nice but not familiar at all.
On these machines, recommendations:
some stable distro like Debian 12, with automatic background updates
OR an atomic distro like Fedora Atomic. (Still waiting for CentOS bootc, which would be the best of both worlds. Or Rocky/Almalinux Atomic)
GNOME or KDE
best would be to always delete the user account, so they need to store stuff on a network drive. That way they cannot permanently break a desktop, but you still dont need active directory stuff.
Be aware that managing many PCs is work. Keep it as simple as possible, install apps as systemwide flatpaks, keep the OS minimal, automate updates.
Maybe have a look at ansible, I think it is complex but the learning curve is worth the effort if you need to manage more than 4 machines.
No in Linux Mint. The version was something 20.1 or so and 21.3 is the latest or something.
The updater didnt work at all, apt worked normally.
So
Debloat random preinstalled deb packages
Update
Upgrade
Check for fixed packages and remove or upgrade them
Dist-upgrade, full-upgrade (whatever the difference is)
Reboot to be sure
Search on the internet for the new ubuntu version nickname and the new mint version nickname
Search for sources.list, not there but a single file that contains all sources in a subdir, strange
Manually change the names
Update, upgrade, dist-upgrade, full-upgrade etc
Worked perfectly, the amount of stuff that can be updated, stopped, swapped without a reboot is fascinating.
Fedora atomic is throwing all that over board, you always need to reboot, there is just one function to get the new stuff. Okay you can install stuff with cache only and a few more tricks. But by default it is rpm-ostree update or rpm-ostree rebase
I also tried an install with LVM and F2FS instead of the default EXT4. It works, and F2FS is faster in theory, but I only found 2 bigger benchmarks. The older one said BTRFS is waaay slower, a newer one with exact reproducability details said it is equal.
And yes I suppose that rpm-ostree utilizes the BTRFS CoW, deduplication and compression which all help reducing disk usage.
Interesting channel, he also reacted to TheLinuxExp.
Valve uses KDE, for Gaming. The so called “gaming” highly relies on Windows software translation stuff so I assumed it also has to do with optimized compositors.
Very interesting. I dont think that app interfaces should break between releases? But CentOS Stream doesnt really have releases so yeah, very fair point.
You actually convinced me that it is likely completely bad for using on Servers. It is just a testing OS for upstream RHEL.
I liked a YT Video about this. CentOS Stream now is upstream of RHEL, RockyLinux and Almalinux. If one of these projects wants to fix a bug, they can implement the fix in Stream and all get the fix.
There are legacy apps that are always insecure with huge static filesystem permissions AND they are sometimes not well maintained i.e. they dont support the Flatpak.
Linux mint and Ubuntu both add the “universe” repo by default. That repo is basically community grade, and even used for official flavors which tells a lot about their reliability.
Same with Fedora. Everything outside of Workstation or the KDE Spin needs to be checked for maintenance carefully. There is lots of abandonware.
With Flatpak on the other hand too, and you can still use it as it can just use EOL runtimes even on a rolling distro…
The tree refers to the Linux kernel Git repo. On Linux normally all drivers are in there.
I think that is a pretty crazy concept, but it kinda gives trust and if it is in there is will likely not break.
Out of tree means the driver is not compiled in (like BTRFS on RHEL distros) or cannot even be included as it is proprietary or else (NVIDIA, Displaylink, Virtualbox).
These drivers are added locally using kmods OR akmods, I dont know the difference and never used it.
uBlue adds some drivers during the build process which is pretty cool. So even though it is out of tree, it gets centrally included and if it breaks you dont get the update.
Fedora Silverblue is the most frustrating distro so far
So I took the plunge and installed Fedora Silverblue because of all that immutable buzz. And it’s the most frustrating change I have made in almost 20 years of my distrohopping....
[Solved] Swaync volume slider not showing when using all:unset
I always use all:unset in my css files and I did the same when configuring the swaync notification but somehow when using it inside global selector *{} it doesn’t show the volumeslider which is shows in a notification, related pictures will be attached. I wanna use all:unset and so I want to know how to re-enable volumeslider...
Linux really has come a long way
I just installed EndeavorOS on an HP Spectre360 that’s roughly 2 years old. I am honestly surprised at how easy it went. If you google it, you’ll get a lot of “lol good luck installing linux on that” type posts - so I was ready for a battle....
deleted_by_author
Arch Linux, made immutable, declarative and atomic: blendOS v4 released (blendos.co)
Flatpak Firefox (and forks) very slow to start
While other flatpak apps have no problems. Any suggestions?
VLC 3.0.21 Adds New AMD VQ Enhancer Filter, Improves Opus Ambisonic Support (9to5linux.com)
Wait... why does Linux-libre (and #Freedo) exist?
Is Linux not free software itself? I thought propietary stuff was added downstream....
open-source nvidia driver with flatpak
Hopefully this is the right place to ask. Lemme know otherwise....
Linux on old School Machines?
Hi all, the private school I work at has a tonne of old windows 7/8 era desktops in a student library. The place really needs upgrades but they never seem to prioritise replacing these machines. Ive installed Linux on some older laptops of mine and was wondering if you all think it would be worth throwing a light Linux distro on...
Is it possible to use Linux without the command line?
We’ve all heard it before: People claiming Linux isn’t a viable alternative cause you can’t run it without using the command line....
List of useful BTRFS tools
Hi, I want to do an “awesome things” list with BTRFS tools...
Do you have your favorite Linux restoring / data craving tools for Linux?
I found these: Scalpel - but no longer maintaned. PhotoRec - but I don’t know how well it works with Btrfs....
RustDesk (FOSS easy to use TeamViewer alternative) has experimental Wayland support that needs testing! (github.com)
Current prerelease is 1.2.5...
What’s the best ad blocker for you? - Firefox Add-ons Blog (addons.mozilla.org)
Gaming vs Regular Distros
TL;DR: Is there really a performance benefit to a gaming distro over a regular distro? Or is it more of a “this is the least work” to get setup?...
CentOS Stream & Hyperscale SIG showcase (aka. "how to make Enterprise Linux suck less") (www.youtube.com)
I found the talk really interesting, especially how CentOS-Stream means SIGs can fork the hell out of it....
Linux Mint Will Hide Unverified Flatpaks in Software Manager (www.omgubuntu.co.uk)
Manjaro or Pop!_OS for (Nvidia) gaming on Steam?
cross-posted from: lemmy.world/post/16149785...