Not a *nix guy. Mac or BSD
Ehi nostr:npub1az9xj85cmxv8e9j9y80lvqp97crsqdu2fpu3srwthd99qfu9qsgstam8y8 I really like when you go into low level and security stuff on your Bitcoin.Review podcast, so I was wondering (maybe a little bit off topic) in the linux desktop world, are you a Wayland or X11 guy? Do you have some knowledge about those two options? And if so, is Wayland really necessary and useful to confine and separate windows, or the surface attacks could be so that when you have a "faulty/malicious" app it doesn't really make a difference?
Discussion
Mmh ok, and how is BSD as a daily "distro" option? Are you limited in certain scenarios/use cases? Or are you using it for things other than a personal computer?
Mac with BSD VMs.
I want to challenge your position.
Sometimes linux is considered not secure for the components it includes (systemd, gnu stack...) and the fact that it doesnt enforce security practices by default.
But why not using linux with good componemts, like:
/hardened-customized-linux/openrc/mus-libc/a minimal WM/pure ALSA/unix-stile-utilities IOMMU enabled, spectre and other cpu mitigations active in kernel, MAC with Selinux and so on.
Linux is a standard. Probably most common distros are bad, but you can build the Os you want and you have a lot of options to do that.
Bsd are linux but 15 years ago. But you can build your linux based os like its 15 years ago, using the best options and end with a better os, secure for your needs. Bsds are shitcoin, mac is just trash.
I add also, the critiques to linux are like the critics moved to bitcoin: the fact that people use bitcoin on exchanges dont devalue your bitcoin in cold storage. Bitcoin and linux are free and open, and people will build on it bad things that you dont like. This dont rob value from you if you dont use the shitty things. Openbsd is the monero of operating system, change my mind.
Would you say Alpine linux could fit as a more secure linux distro? Otherwise are there some "ready to go" linux distro that checks those characteristics?
The problem is that some particular security settings are not compatible with a "generic good ux", so there are limits to "how secure" a linux distro ready to use can be.
I frankly wouldnt use any ready to go distro; I prefer gentoo with my fine tuned configs or openbsd. Alpine linux or arch/artix also are good options in my opinion.
The problem with these minimal distros is that they require time for experimenting and to develop competence. But the maintainance time at some point become zero, because there are few things that can break and you have put them in so you know whats broke; so when you are competent enough you know how to maintain these distros in pretty zero time (if there's a new problem you dont know how to fix... LFG a new thing to learn!!!).
If we just want compatibility with software and development tools, a debian or a linux mint will do the job with a goox ux and will be "secure enough" for a lot of use cases.
Now I am interested, do you have some good videos and/or guides to start/learn about linux hardening?
Here there are a lot of good stuff
https://madaidans-insecurities.github.io/guides/linux-hardening.html
also https://www.kicksecure.com is a project that try to apply a lot of security practices on debian (it is used as base for https://www.whonix.org/), his docs and forum are full of good infos.
For learning there are many routes, I know only the "way of the monkey": nerd on computers, try stuffs, break things and, after some time, you will gain the knowledge to hack low level stuff on your Os.
There are absolutely other ways to learn this stuffs, but I dont know exactly, every person need to find his personal methods and paths.
I reccommend start hacking with arch linux because it is minimal and customizable and it has a lot of documentation and a big community to learn from.
A linux system is as secure as you make it, so a first arch installation will probably be even less secure than an ubuntu on average (lacks of mandatory acces control forexample...), but it is a good base to learn.
it is like bitcoin, the real utlimate resources to keep your bitcoin secure is to know how it works; when you have knowledge then you know what tools use and how use them.
also here a more detailed (in some point a bit exxagerated in my opinion) critique of linux:
It was actually interesting to see chromebooks mentioned on those guides, do you know whether there is a degoogled ChromeOS alternative/fork much like GrapheneOS is for android?
I dont know exacly, there is chromiumos that is like what AOSP is for android or chromium for chrome. But a complete security and privacy focused distribution like grapheneos doesnt exists today.
Recently google announced that it will migrate a lot of chromeos system to android, making it more similar to a sort of android x86-64.
I think will ship the google forked gki kernel like android and will run on the integral android JVM.
In future maybe grapheneos could be released easily for desktop, as chromeos is becoming de facto android.
https://blog.chromium.org/2024/06/building-faster-smarter-chromebook.html?m=1
Even if grapheneos is objectively so good, I dont like the "security-by-restrict-user-access" approach. I think the control of the system and the root access are the most important thing for "owning your computing", even if from great powers come great responsabilities and great dangers.
Also with a google owned giant monolith like AOSP or chromium, even if open source, you will be subject to the decision of a single company (who will fork this mess? Who has so much money? Another google?).
Linux distros can be simple, modular in his components so you own your system and choose what component to use. I personally forked and maintain a wayland based window manager with my patches, and it is manageble by one man in spare time. How many people would need to fork and hack with the android graphic stack? Thousands plus one. Because one guy need to change the lightbulb.
Yeah pretty much agree on everything, especially the "one giant controlling the system's future" part.
By the way, I wanted to try out Alpine and labwc to see whether they could replace Fedora/Debian and Gnome/KDE as a desktop daily drive (at least for me), do you have some insights on those?