Back to the post, Debian is also an awful Linux distro to choose. Full of anti-security practices.
Discussion
What is your take on KickSecure/Whonix both based on Debian?
Has a horrible choice of base OS for security and they don't do any significant work to improve it. They do not do any significant hardening beyond application changes and trivial configurations you can do in other distros. A lot of the efforts for Linux kernel hardening on both Whonix and Kicksecure were halted and then undone when the developer responsible for most of it left the project, therefore, it got worse over the years...
Their developer also pushed misinformation about allocator hardening and dropped using hardened_malloc (hardened memory allocator used and created by GrapheneOS, a significant exploit protection). Their recommendations appear more out of software freedom movement dogmas than a security researcher perspective. Some tables on the wiki make comparisons seemingly out of imaginary scenarios or remove context to what they source.
The Whonix distribution routing everything to Tor has a valid point, but you're just using a non-hardened Debian OS routed through Tor. Qubes users are very reliant on the hypervisor to protect them when using it. The security of the operating systems in the VMs also matter.
Making an equivalent out of a distro like an immutable Fedora distribution or Arch would outclass it very quickly. There are projects that do a lot of great effort to start, like Secureblue:
https://secureblue.dev/features
It inherits a better base OS, has some components from GrapheneOS, including hardened malloc and a desktop Chromium based browser with a Vanadium patch set. Not comparable to the Linux kernel in GrapheneOS (and Android) which is extensively hardened.
Since Qubes' standard images are Fedora based, it could compliment it by being a template. Qubes developers already have that in their issue tracker.
Once Linux VM terminal and support is improved in upstream it could be useful to allow virtual machines that run other OSes other than Debian within GrapheneOS. Fedora is our target. Secureblue could also work if it ever gets built on ARM.
Thank you. Very insightful. Would love to See Mord oft your expert view in a structured way.
Which distro you recommend as a daily use?
I don't use Linux on the desktop. Fedora is the least bad choice but having better defaults and try Secureblue if you want it a hardened. Arch also works and certain hardening is available there but not as a default.
If our funding and manpower was unlimited, GrapheneOS wouldn't be using the Linux kernel at all, ideally something akin to a microkernel with a hypervisor written in a memory safe language like Rust. We'd then have an Android compatibility layer to run the apps. Android userspace already provides a lot of the safety by apps being developed officially in Kotlin or Java.
Linux kernel security flaws make up a lot of Android issues and are what ends up getting exploited in the wild by companies like Cellebrite. The Linux kernel itself is the biggest security liability. Having a more secure base means less hardening work. There was a post I made a couple months ago about Linux kernel (and Android specific) vulnerabilities that Android didn't fix but GrapheneOS had.
This type of OS is interesting: https://www.redox-os.org/
These projects need to get contributions and growth, these are the type of operating systems developers should be working on.
nostr:npub1sg6plzptd64u62a878hep2kev88swjh3tw00gjsfl8f237lmu63q0uf63m nostr:npub1qny3tkh0acurzla8x3zy4nhrjz5zd8l9sy9jys09umwng00manysew95gx nostr:npub10pensatlcfwktnvjjw2dtem38n6rvw8g6fv73h84cuacxn4c28eqyfn34f
Make QNX great again.
Perhaps in a few years, when tooling has matured, AI can accelerate such an effort.
Why would you leap from Linux to a hobbyist OS? Why not FreeBSD or OpenBSD? Rust doesn't even have reproducible builds yet (iirc)
What would you see as bad practice, and which distros do better?
I think Debian is very good for someone that had some weeks working with Ubuntu and wants to go one step mor into independent distros. I mean it is the main distro for many others to upstream bug fixes.
So for stability it is absolutely great.
Debian freezes packages and only updates them during major OS upgrades or when a security fix has received a CVE. This means that if you use software that had a security issue that was fixed and not reported, it's certain you're vulnerable.
There were cases where we were aware of serious vulnerabilities that were fixed in software we used, for example our web server nginx but they did not get the fix in Debian because of no CVE assignment. We don't use Debian on any of our infrastructure. The assumption that every project obtains CVE assignments for each vulnerability is unrealistic.
You can also say the same thing about web browsers, which are dangerous to leave unlatched because they're some of the most widely desired software categories to exploit. Certain Debian users were hit with attack campaigns years ago because of their unpatched browsers.
Freezing updates for applications is anti-security, keeping apps up to date and patched is an extremely basic first security practice.
To answer your question, Fedora is better than most due to not having this package update problem and other problematic Debian quirks like their problematic app configuration and patch choices. All the Linux distributions lack in the OS and app security department and the Linux kernel itself is not immune to critique.
Arch Linux also provides proper security updates for the most part through updating to the current stable releases of software. But it is just a standard Linux distribution otherwise and is certainly not hardened.
https://secureblue.dev/ was discussed elsewhere in these comments too.
Nothing is perfect, sure. It would still be a great improvement over windows or Mac, which is what the vast majority of people use