from 734Y4ch_7M3_7r0@programming.dev to linux@lemmy.ml on 29 Jul 01:49
https://programming.dev/post/34707416
First of all, I’d like to apologize for contributing to the constant stream/flow of posts in which the main theme/idea/motive is to find a suitable distro for the OPoster. I wish we’d have a dedicated community that’s active/large to the extent we’d be able to delegate/contain these convos to their designated places, but alas…
With that out of the way, we can get to the actual meat. So, for two weeks, I’ve been reading a ton about different distros. And while I’m still primarily overwhelmed by the amount of choice, I think I’ve finally got somewhat of an idea.
Requirements:
- Software-wise, the only thing I’m worried about is Davinci Resolve. It should work, but it seems to be hit or miss. The distro I wish to use should handle this gracefully.
- I’m a huge snob for security and privacy. As I’m kinda worried that desktop Linux’ security isn’t on par with M$ or macOS, I wish to use as secure of a system as possible to (somewhat) compensate for that.
I like to follow ‘authorities’ whenever I’m overwhelmed. As I’ve known them since their PrivacyTools-days, it was easy for me to designate Privacy Guides as such. Hence, I’ve come to appreciate its recommendations. But, I believe the tailor-made consensus by this communities’ experts is at least equally important.
That’s where I’m coming from, let’s head over to the questions:
-
Are PrivacyGuides’ recommendations actually good in the first place?
-
From what I can tell, the subset of security-focused distros are (at least potentially) my end-game. But, from what I could gather, they’re not sensible picks for a newb. Is this correct?
-
As for what remains, I got the following assumptions (please correct me if I’m wrong*):
- The anonymity-focused distros don’t seem well-suited for general use.
- Hardening Arch or NixOS to the extent we find within the offerings of Fedora or openSUSE isn’t trivial.
- Fedora’s Atomic Desktops offer something tangibly superior security-wise over what we find for traditional Fedora and openSUSE at the expense of convenience.
As such, am I correct to assume that Fedora Atomic Desktops are best for me? Would you happen to know if it plays nicely with Davinci Resolve?
-
Are there any other distros worth mentioning within the context? If so, which ones and why?
-
Any gotchas or otherwise I should be aware of?
Thanks in advance for your input!
threaded - newest
Fedora. Any spin will do.
Thank you. Could you perhaps substantiate it beyond an endorsement? Like, for a newb, I don’t see how it would be better than openSUSE beyond prioritizing the following:
Like, for an outsider, the Fedora endorsement mostly just confirms that Fedora is the more popular option. But that doesn’t have to be on merit. If it is on merit, would you so kind to point this out? Especially security-wise*
Fedora is the “new” Ubuntu after Canonical made some bad calls about Ubuntu as a distro. It has little if any weird customizations, and gives you the stock experience of Gnome or KDE.
I don’t have any serious issues with Suse I guess(?), but the community is lacking, and the frequency of issues with updates and packages is way more than Fedora.
So, if I understood you correctly, openSUSE does have weird customizations and does not give a stock experience. Right?
Interesting. The first part was something I was expecting, but the latter part actually surprised me.
I suppose that, if it came down to Fedora vs openSUSE, I’d just have to give it Fedora then.
Anyhow, any thoughts on non-atomic Fedora vs atomic Fedora?
If you’re new, don’t mess with immutable distros. They have a purpose, and it’s not for people just getting acquainted with modern computing. It gives you zero benefits, and will only make things more complicated.
So what is the purpose of immutable distros?
Furthermore, my introductory reading would suggest some benefits:
And, with GrapheneOS’ endorsement of secureblue, I find it hard to believe that it doesn’t provide any benefits. But please feel free to enlighten me on this.
Though usability is probably a very legit concern, though. So perhaps not the brightest of ideas to start with as a first distro, but we’ll see.
The entire functional premise of immutable distro builds was for mobile and edge devices. It makes flashing/updating dead simple, and it’s easier to revert to a known good revision if something goes wrong.
There is no “stability” benefit, because the running system is unchanged, only the filesystem operates differently. I’m not sure where you read that. Also, containers aren’t inherently more stable than anything, so that’s extra confusing if you read that somewhere.
The filesystem being read-only doesn’t help reduce your attack surface at all? If you’re vulnerable to a zero-day on any running service on stock distros, you’d be vulnerable on immutable as well.
Distro’s are not like picking between windows or mac, Nearly all linux distributions are based on the same linux kernel and many of the base GNU packages. The main differences between distributions are philosophical.
Some distro’s will focus on free as in speech over free as in beer meaning if something has closed source, or proprietary code they may or may not include it. You can still download and install proprietary software and drivers regardless of this initial choice.
Some distro’s will have a preferred package manager which is like their software or app store, but if you dont like the one they picked you can install a different one.
As for security, linux is as secure as you make it, its vastly more secure than Windows out of the box, and probably more secure than MacOS but we dont really know because both Apple and Microsoft dont publish their code so we cant review or audit its security. Setting up a secure linux install is dead simple and you can find dozens of guides for every distribution and edge case.
Since the main tool you want to run is Davinci Resolve it makes sense to see what distribution they test against and go with that, rather than pick an arbitrary “secure” distribution. It will be simpler to harden their preferred distro than to take a hardened distro and make their software work on it.
I suggest checking their website and going with their top suggestion.
Thank you for your comment! It contains many gems to benefit from*
This is what I found to be particularly curious. So, would you say that the (extra) security/hardening provided by the likes of Qubes OS and secureblue is trivial to apply elsewhere? If so, would you be so kind to give me some pointers? I did try to find it myself but failed. Perhaps I’m not using the correct search terms OR perhaps I don’t even know where to look.
Excellent. Why didn’t I think of this before 😜 . Uhmm…, based on their instructions, I believe installing the Rocky Linux 8.6 image that they provide is the safe bet. Right?
Finally, I’m left with two questions:
The easiest distros to run Resolve would probably be Rocky Linux 8, Alma Linux 8 (both are based on RHEL 8). Instead of the EOL Rocky/Alma 8.6, you should use release 8.10 (8.6 would update to 8.10 anyway). However, while still currently “supported”, these are still shipping (mostly) 6-year-old (!) packages. Also, only a small number of packages is actively supported by Red Hat. IMO, this implies that these distros offer a lower level of security. The most critical parts (browser, kernel) are still well-supported, so the difference is probably not too large for most regular users. However, you may also struggle to run some other software (although Flatpaks are available). It’s unfortunate that Resolve only supports an ancient version of Rocky (Rocky 10 is now out)…
Oh wow. Thank you so much for that information! Much appreciated!
Hmm…, so I suppose both Rocky Linux and Alma Linux are out of consideration then. Which is definitely a pity considering Davinci Resolve. What would you suggest instead?
immutable distros (e.g. fedora atomic desktops) are secure in the sense that they’re containerized. if that’s something you’re after, i don’t see why it wouldn’t be a good fit for you.
they do rely on flatpaks, so you’ll need to make sure davinci resolve comes as one. it doesn’t seem to be on flathub, but i do see someone else has packaged it. if that runs well, i think you’d have nothing to worry about.
On immutable distros, one can still get something not available as a flatpak by installing it in a distrobox container.
I was going to say this.
And for resolve there is even a preconfigured container: github.com/zelikos/davincibox
That looks pretty cool. Thank you so much for sharing that!
Would you happen to know how it compares to the flatpak (or something) that was shared by the other person?
Resolve is not available as a flatpak so distrobox would be your only option to get it running on a atomic distro.
But in general flatpaks are more secure than distrobox containers. Flatpaks are sandboxed. Apps can request access to different parts outside the sandbox through so called portals. Portals are basically like the permission system on your phone. But not all portals are finished yet so apps can get way more permissions in the name of user friendliness. There are third party tools like flatseal, that manage permissions though.
Distrobox on the other hand doesn’t have any of that. Apps can access your entire home directory and a bunch of other stuff if they want
Interesting. How do you regard the following link? github.com/pobthebuilder/resolve-flatpak
Oh wow, flatpaks are pretty cool. Thank you for that info! Are there any downsides to it? Or is it just straight up superior to all other options?
thanks! TIL
Good to know. Thank you!
Hmm…, is it like properly sandboxed? That wasn’t the impression I was getting. But I’m more than happy to be wrong on this.
Furthermore, how do they achieve this beyond Flatpak?
Oh, wow, that’s pretty cool. Thank you for that find!
just install gentoo
Uhmm…, I’ve heard it’s hard 😅. Though, I will consider it if the following applies:
Would you happen to know if the above applies?
Debian
I did not read the post, I just came here to say Debian since that’s the answer to the general question. 😄
I have never used it and it is not a way to go if you want anything graphics card intensive but security wise I was under the impression qubesos was like the supreme because you run all the apps in xen virtual machines https://en.wikipedia.org/wiki/Qubes_OS
Yeah, I don’t think this will work nicely with Davinci Resolve. But we’ll see.
Secureblue eliminates many attack vectors. It is also recommended by PrivacyGuides. Worth trying if you can find davinci resolve as a Flatpak or Fedora RPM.
Do you think it’s suitable for a newb as their first distro? FWIW, someone else had already pointed out the existence of a flatpak.
It will have some challenges but the documentation is decent. If security matters to you, it has better protections than any other Linux distro (Qubes OS isn’t technically a distro). If you have a problem, first check to see if it is a Secureblue issue then check if it is an upstream Fedora atomic issue.
Thank you very much! Some have raised issues on immutable distros. So I don’t really know what I should do. Nor, do I know whether their criticisms are valid. Regardless, I suppose I’ll have to see it for myself and arrive at my own conclusions.
Firstly tell what ur GPU that u wanna use it for davinci resolve ,secondly tell what ur threat model because comparing directly security of Mac os and windows doesn’t make any sense ,tell what u want exactly to achieve
An Amd GPU from 7 years ago
I haven’t properly formalized my threat model yet. But assume that I want protection against any and all untargeted attacks.
A general-use OS that I’d use to replace my Windows 10 installation. There’s a ton of software that I use and for which I have to find replacements (eventually), but Davinci Resolve is probably my biggest worry.
Is Vega 64? Or rx 580 if that so u will need to ready fight for opencl drivers cause davinci not working without them at all ,u will have to use something like opecl-mesa with rustcl RUSTICL_ENABLE.
It’s vega. So, how exactly should I proceed? Thank you so much for the help!
Trial and error as long as it isn’t a professional need. At some point you just have to try and see what works for your machine and needs.
You’re probably right. I just hoped to receive some valuable input. Thankfully, I did get some of that; so this wasn’t an exercise in vain.
None of the popular distros will spy on you the way Windows or MacOS do, so privacy shouldn’t be a concern.
As for security, is it malware you fear? Without more specific context, the only thing that can be said for sure is that you should encrypt your drive (most distros will have the option to set that up during installation), and don’t
sudorandom commands you see on the internet without understanding what they do.I believe I heard that there was some scandal involving Ubuntu, but perhaps I’m wrong. Please feel free to correct me. Are there any (other) distros that I should be weary of for privacy-sake?
For security, I want to be well-protected against any and all untargeted attacks. So protection against malware is included.
Thank you for the general notes/recommendations/advice about safe practices on Linux! Regarding sudo (and the terminal in general), I’ve just accepted that it will be part of my workflow going forward, even if the amount of times I had used it on Windows can probably be counted on one hand. Regardless, beyond not sudoing random commands, are there like rigid guidelines (or something) one should adhere to for safe/secure computing?
The Ubuntu thing was about them making it opt-out rather than opt-in (so turned on by default), but it’s still nothing malicious and diesn’t collect any personal data. At least that’s how I remember it.
Also Linux doesn’t really have anti-viruses like Windows does (there are a few options for edgecases though). That is because Linux isn’t really targeted by malware developers as much and also Linux is actually designed to be secure.
As for general security tips, number 1 is probably using a password manager (I use a KeePassXC compatible client).
Also be careful with
rm -rf. I almost deleted all the files in my home directory once. I have aliasedrmtogio trashsince.