Our great sponsors
-
linux-hardened
Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
hearthstone-linux
Play Hearthstone from Blizzard Entertainment natively on Linux without the Battle.net Desktop App and Wine
Glossing over their hardening guide, we notice that the kernel-hardened package is mentioned. This is a fork of what once was the kernel of GrapheneOS. While this hardened kernel can be used on a variety of distros, unfortunately this doesn't apply to Fedora Silverblue. Furthermore, I haven't seen any mention of the hardened kernel being used on openSUSE Tumbleweed. Therefore I see no reason to believe that this is possible on openSUSE Aeon either. Though, I'd love to be corrected on this!
Other hardening guides mention a Unified Kernel Image as another measure to further improve security. Unfortunately, once more, this is (currently) not supported on Fedora Silverblue. I haven't seen it being done on openSUSE Aeon either. Though, once again, I'd love to be corrected!
Over time, more and more immutable desktop distros started to emerge, with some of them even being rather promising; Vanilla OS, Pop!_OS' WIP, Serpent OS(/Solus 5) and very recently Ubuntu. So it made sense to dig deeper and try to comprehend what distinguishes these from one another.
There exists a COPR to get the earlier mentioned kernel-hardened package on Fedora. Furthermore, I forgot to mention the hardened_malloc package as (yet another) measure for hardening is offered for Fedora as well. But you might have started to notice a pattern; these (and many other projects) are not ported to openSUSE (or at least not in a way that a mere layman like myself can access them) and this is hurting the legibility of using openSUSE over Fedora. Even if Silverblue doesn't yet provide support for anything I've just mentioned; at some point it will. And at that point, I'm sure that I can get those packages installed easily and go on with my life. Unfortunately, with openSUSE, I just don't know if that ever will be the case. So either I'd have to reinvent the wheel myself, or opt for the easy option....; use Fedora instead. And this is merely just an example of this, for a lot stuff that go beyond the base install you might have difficulty with getting it done on openSUSE. Simply because it's not there yet and it lacks the community to do it for openSUSE. The aforementioned uBlue (a community project) provides a lot of different Desktop Environments to be used with Fedora Silverblue. Unfortunately, with openSUSE Aeon, you're kinda stuck with GNOME (to be fair Kalpa and Greybeard do exist, but use these at your own discretion). Which shouldn't be a problem if you enjoy using GNOME, but what if you don't enjoy using GNOME...
There exists a COPR to get the earlier mentioned kernel-hardened package on Fedora. Furthermore, I forgot to mention the hardened_malloc package as (yet another) measure for hardening is offered for Fedora as well. But you might have started to notice a pattern; these (and many other projects) are not ported to openSUSE (or at least not in a way that a mere layman like myself can access them) and this is hurting the legibility of using openSUSE over Fedora. Even if Silverblue doesn't yet provide support for anything I've just mentioned; at some point it will. And at that point, I'm sure that I can get those packages installed easily and go on with my life. Unfortunately, with openSUSE, I just don't know if that ever will be the case. So either I'd have to reinvent the wheel myself, or opt for the easy option....; use Fedora instead. And this is merely just an example of this, for a lot stuff that go beyond the base install you might have difficulty with getting it done on openSUSE. Simply because it's not there yet and it lacks the community to do it for openSUSE. The aforementioned uBlue (a community project) provides a lot of different Desktop Environments to be used with Fedora Silverblue. Unfortunately, with openSUSE Aeon, you're kinda stuck with GNOME (to be fair Kalpa and Greybeard do exist, but use these at your own discretion). Which shouldn't be a problem if you enjoy using GNOME, but what if you don't enjoy using GNOME...
Furthermore, rpm-ostree is so powerful. It keeps track of all user-changes to /etc (maybe also /var; don't quote me on that though). It can 'reset', which is very akin to a factory-reset on other systems. It can rebase to another spin by Fedora (or from third parties). And I haven't even mentioned you can make your own unique tailor-made OCI-image that comes with a bunch of benefits, one of which is that you can force Github to make the bootable image for you. Instead of installing/updating on your device and all the computing power and time that this takes, you can let make Microsoft pay for it and you can reap the benefits. You just download the finished image and rebase to it; done. All of which is automated (see uBlue. Lol, this has just turned into an advertisement. Let's cooldown a bit.
It's being worked on :P . Technically userspace/soft-reboot =/= no reboot, but I'll prefer it over a hard-reboot. Btw, the change is already merged, we just have to wait until it is shipped to Fedora. Which is likely to happen with the next release of Fedora, so in October/November of this year. In case you didn't know, there's also rpm-ostree install --apply-live , use this at your own discretion though.
Furthermore, because you didn't name Distrobox, is it fair to assume that you're not making use of it? Back when I started, I didn't know much about Nix. So my go-to (when a flatpak didn't exist) was to go directly for a distrobox with a custom home folder (at least I could get rid of everything contained within when I felt like it). And I'd argue it has been instrumental in easing the experience until I got more comfortable with how Silverblue is used. Heck, even now I've got a dedicated Arch-distrobox with Wine for the times Bottles fails me. I also just recently made another Arch-distrobox for a native install of HearthStone for some experimentation with getting the Deck Tracker to work in it while all being properly confined (still WIP). I can't remember the amount of times I tried some random stuff in a(n ephemeral) distrobox (like installing cmatrix for the heck of it), get some enjoyment/fulfillment out of it and just continue with my life afterwards. I feel like with Distrobox, you'd have a much easier time on Silverblue. At times you can afford to rethink/relearn your ways to do it more accordance to the 'Silverblue-way'; one-step-at-a-time. But sometimes you can't, or for some reason it just doesn't seem to work. For such cases, instead of reverting back to Workstation, you should instead use Distrobox to get the work done.
Related posts
- Ubuntu 24.04 (and Debian) removed libsystemd from SSH server dependencies
- Systemd minimizing required dependencies for libsystemd
- Going in circles without a real-time clock
- Excellent succinct breakdown of the xz mess, from an OpenBSD developer
- What we know about the xz Utils backdoor that almost infected the world