(Yet another) help me choose a distro post
from 734Y4ch_7M3_7r0@programming.dev to linux@lemmy.ml on 29 Jul 01:49
https://programming.dev/post/34707416

First of all, I’d like to apologize for contributing to the constant stream/flow of posts in which the main theme/idea/motive is to find a suitable distro for the OPoster. I wish we’d have a dedicated community that’s active/large to the extent we’d be able to delegate/contain these convos to their designated places, but alas…

With that out of the way, we can get to the actual meat. So, for two weeks, I’ve been reading a ton about different distros. And while I’m still primarily overwhelmed by the amount of choice, I think I’ve finally got somewhat of an idea.

Requirements:

I like to follow ‘authorities’ whenever I’m overwhelmed. As I’ve known them since their PrivacyTools-days, it was easy for me to designate Privacy Guides as such. Hence, I’ve come to appreciate its recommendations. But, I believe the tailor-made consensus by this communities’ experts is at least equally important.

That’s where I’m coming from, let’s head over to the questions:

Thanks in advance for your input!

#linux

threaded - newest

just_another_person@lemmy.world on 29 Jul 02:06 next collapse

Fedora. Any spin will do.

734Y4ch_7M3_7r0@programming.dev on 30 Jul 02:08 collapse

Thank you. Could you perhaps substantiate it beyond an endorsement? Like, for a newb, I don’t see how it would be better than openSUSE beyond prioritizing the following:

  • “Leading edge” (Fedora) vs rolling release (Tumbleweed) OR ‘stable’ (Leap)
  • IBM (Fedora) vs SUSE (openSUSE) - (We might even choose to reframe this as US vs Germany/EU)

Like, for an outsider, the Fedora endorsement mostly just confirms that Fedora is the more popular option. But that doesn’t have to be on merit. If it is on merit, would you so kind to point this out? Especially security-wise*

just_another_person@lemmy.world on 30 Jul 03:05 collapse

Fedora is the “new” Ubuntu after Canonical made some bad calls about Ubuntu as a distro. It has little if any weird customizations, and gives you the stock experience of Gnome or KDE.

I don’t have any serious issues with Suse I guess(?), but the community is lacking, and the frequency of issues with updates and packages is way more than Fedora.

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:41 collapse

So, if I understood you correctly, openSUSE does have weird customizations and does not give a stock experience. Right?

but the community is lacking, and the frequency of issues with updates and packages is way more than Fedora.

Interesting. The first part was something I was expecting, but the latter part actually surprised me.

I suppose that, if it came down to Fedora vs openSUSE, I’d just have to give it Fedora then.

Anyhow, any thoughts on non-atomic Fedora vs atomic Fedora?

just_another_person@lemmy.world on 30 Jul 04:29 collapse

If you’re new, don’t mess with immutable distros. They have a purpose, and it’s not for people just getting acquainted with modern computing. It gives you zero benefits, and will only make things more complicated.

734Y4ch_7M3_7r0@programming.dev on 31 Jul 03:07 collapse

So what is the purpose of immutable distros?

Furthermore, my introductory reading would suggest some benefits:

  • The read-only base system as well as the containerization might prove beneficial for stability.
  • Furthermore, I would think that the read-only base system also contributes for eliminating some attack vectors.

And, with GrapheneOS’ endorsement of secureblue, I find it hard to believe that it doesn’t provide any benefits. But please feel free to enlighten me on this.

Though usability is probably a very legit concern, though. So perhaps not the brightest of ideas to start with as a first distro, but we’ll see.

just_another_person@lemmy.world on 31 Jul 08:17 collapse

The entire functional premise of immutable distro builds was for mobile and edge devices. It makes flashing/updating dead simple, and it’s easier to revert to a known good revision if something goes wrong.

There is no “stability” benefit, because the running system is unchanged, only the filesystem operates differently. I’m not sure where you read that. Also, containers aren’t inherently more stable than anything, so that’s extra confusing if you read that somewhere.

The filesystem being read-only doesn’t help reduce your attack surface at all? If you’re vulnerable to a zero-day on any running service on stock distros, you’d be vulnerable on immutable as well.

infinitevalence@discuss.online on 29 Jul 02:14 next collapse

Distro’s are not like picking between windows or mac, Nearly all linux distributions are based on the same linux kernel and many of the base GNU packages. The main differences between distributions are philosophical.

Some distro’s will focus on free as in speech over free as in beer meaning if something has closed source, or proprietary code they may or may not include it. You can still download and install proprietary software and drivers regardless of this initial choice.

Some distro’s will have a preferred package manager which is like their software or app store, but if you dont like the one they picked you can install a different one.

As for security, linux is as secure as you make it, its vastly more secure than Windows out of the box, and probably more secure than MacOS but we dont really know because both Apple and Microsoft dont publish their code so we cant review or audit its security. Setting up a secure linux install is dead simple and you can find dozens of guides for every distribution and edge case.

Since the main tool you want to run is Davinci Resolve it makes sense to see what distribution they test against and go with that, rather than pick an arbitrary “secure” distribution. It will be simpler to harden their preferred distro than to take a hardened distro and make their software work on it.

I suggest checking their website and going with their top suggestion.

734Y4ch_7M3_7r0@programming.dev on 30 Jul 02:33 collapse

Thank you for your comment! It contains many gems to benefit from*

It will be simpler to harden their preferred distro than to take a hardened distro and make their software work on it.

This is what I found to be particularly curious. So, would you say that the (extra) security/hardening provided by the likes of Qubes OS and secureblue is trivial to apply elsewhere? If so, would you be so kind to give me some pointers? I did try to find it myself but failed. Perhaps I’m not using the correct search terms OR perhaps I don’t even know where to look.

I suggest checking their website and going with their top suggestion.

Excellent. Why didn’t I think of this before 😜 . Uhmm…, based on their instructions, I believe installing the Rocky Linux 8.6 image that they provide is the safe bet. Right?

Finally, I’m left with two questions:

  • What does Rocky Linux’ absence from Privacy Guides list suggest? Would you happen to know how it’s (perhaps supposedly) tangibly worse than their picks?
stuner@lemmy.world on 30 Jul 06:55 collapse

The easiest distros to run Resolve would probably be Rocky Linux 8, Alma Linux 8 (both are based on RHEL 8). Instead of the EOL Rocky/Alma 8.6, you should use release 8.10 (8.6 would update to 8.10 anyway). However, while still currently “supported”, these are still shipping (mostly) 6-year-old (!) packages. Also, only a small number of packages is actively supported by Red Hat. IMO, this implies that these distros offer a lower level of security. The most critical parts (browser, kernel) are still well-supported, so the difference is probably not too large for most regular users. However, you may also struggle to run some other software (although Flatpaks are available). It’s unfortunate that Resolve only supports an ancient version of Rocky (Rocky 10 is now out)…

734Y4ch_7M3_7r0@programming.dev on 31 Jul 03:13 collapse

Oh wow. Thank you so much for that information! Much appreciated!

Hmm…, so I suppose both Rocky Linux and Alma Linux are out of consideration then. Which is definitely a pity considering Davinci Resolve. What would you suggest instead?

jinx@lemmy.zip on 29 Jul 02:25 next collapse

immutable distros (e.g. fedora atomic desktops) are secure in the sense that they’re containerized. if that’s something you’re after, i don’t see why it wouldn’t be a good fit for you.

they do rely on flatpaks, so you’ll need to make sure davinci resolve comes as one. it doesn’t seem to be on flathub, but i do see someone else has packaged it. if that runs well, i think you’d have nothing to worry about.

yo_scottie_oh@lemmy.ml on 29 Jul 03:32 next collapse

On immutable distros, one can still get something not available as a flatpak by installing it in a distrobox container.

phanto@lemmy.ca on 29 Jul 03:55 next collapse

I was going to say this.

Vittelius@feddit.org on 29 Jul 10:19 next collapse

And for resolve there is even a preconfigured container: github.com/zelikos/davincibox

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:04 collapse

That looks pretty cool. Thank you so much for sharing that!

Would you happen to know how it compares to the flatpak (or something) that was shared by the other person?

Vittelius@feddit.org on 30 Jul 20:06 collapse

Resolve is not available as a flatpak so distrobox would be your only option to get it running on a atomic distro.

But in general flatpaks are more secure than distrobox containers. Flatpaks are sandboxed. Apps can request access to different parts outside the sandbox through so called portals. Portals are basically like the permission system on your phone. But not all portals are finished yet so apps can get way more permissions in the name of user friendliness. There are third party tools like flatseal, that manage permissions though.

Distrobox on the other hand doesn’t have any of that. Apps can access your entire home directory and a bunch of other stuff if they want

734Y4ch_7M3_7r0@programming.dev on 31 Jul 03:31 collapse

Interesting. How do you regard the following link? github.com/pobthebuilder/resolve-flatpak

Oh wow, flatpaks are pretty cool. Thank you for that info! Are there any downsides to it? Or is it just straight up superior to all other options?

jinx@lemmy.zip on 29 Jul 17:40 next collapse

thanks! TIL

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:03 collapse

Good to know. Thank you!

734Y4ch_7M3_7r0@programming.dev on 30 Jul 02:43 collapse

immutable distros (e.g. fedora atomic desktops) are secure in the sense that they’re containerized.

Hmm…, is it like properly sandboxed? That wasn’t the impression I was getting. But I’m more than happy to be wrong on this.

Furthermore, how do they achieve this beyond Flatpak?

but i do see someone else has packaged it. if that runs well, i think you’d have nothing to worry about.

Oh, wow, that’s pretty cool. Thank you for that find!

phpinjected@lemmy.sdf.org on 29 Jul 02:27 next collapse

just install gentoo

734Y4ch_7M3_7r0@programming.dev on 30 Jul 02:58 collapse

Uhmm…, I’ve heard it’s hard 😅. Though, I will consider it if the following applies:

  • Its difficulty is in the same ballpark as the security-focused distros on Privacy Guides’ list
  • It can trade blows with the security-focused distros with respect to security

Would you happen to know if the above applies?

avidamoeba@lemmy.ca on 29 Jul 02:42 next collapse

Debian

I did not read the post, I just came here to say Debian since that’s the answer to the general question. 😄

HubertManne@piefed.social on 29 Jul 03:10 next collapse

I have never used it and it is not a way to go if you want anything graphics card intensive but security wise I was under the impression qubesos was like the supreme because you run all the apps in xen virtual machines https://en.wikipedia.org/wiki/Qubes_OS

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:19 collapse

it is not a way to go if you want anything graphics card

Yeah, I don’t think this will work nicely with Davinci Resolve. But we’ll see.

Neptr@lemmy.blahaj.zone on 29 Jul 04:40 next collapse

Secureblue eliminates many attack vectors. It is also recommended by PrivacyGuides. Worth trying if you can find davinci resolve as a Flatpak or Fedora RPM.

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:02 collapse

Do you think it’s suitable for a newb as their first distro? FWIW, someone else had already pointed out the existence of a flatpak.

Neptr@lemmy.blahaj.zone on 30 Jul 05:19 collapse

It will have some challenges but the documentation is decent. If security matters to you, it has better protections than any other Linux distro (Qubes OS isn’t technically a distro). If you have a problem, first check to see if it is a Secureblue issue then check if it is an upstream Fedora atomic issue.

734Y4ch_7M3_7r0@programming.dev on 31 Jul 03:09 collapse

Thank you very much! Some have raised issues on immutable distros. So I don’t really know what I should do. Nor, do I know whether their criticisms are valid. Regardless, I suppose I’ll have to see it for myself and arrive at my own conclusions.

anon5621@lemmy.ml on 29 Jul 11:37 next collapse

Firstly tell what ur GPU that u wanna use it for davinci resolve ,secondly tell what ur threat model because comparing directly security of Mac os and windows doesn’t make any sense ,tell what u want exactly to achieve

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:17 collapse

Firstly tell what ur GPU that u wanna use it for davinci resolve

An Amd GPU from 7 years ago

secondly tell what ur threat model

I haven’t properly formalized my threat model yet. But assume that I want protection against any and all untargeted attacks.

tell what u want exactly to achieve

A general-use OS that I’d use to replace my Windows 10 installation. There’s a ton of software that I use and for which I have to find replacements (eventually), but Davinci Resolve is probably my biggest worry.

anon5621@lemmy.ml on 30 Jul 07:10 collapse

Is Vega 64? Or rx 580 if that so u will need to ready fight for opencl drivers cause davinci not working without them at all ,u will have to use something like opecl-mesa with rustcl RUSTICL_ENABLE.

734Y4ch_7M3_7r0@programming.dev on 31 Jul 03:15 collapse

It’s vega. So, how exactly should I proceed? Thank you so much for the help!

LeteoAtredies@lemmy.world on 29 Jul 13:55 next collapse

Trial and error as long as it isn’t a professional need. At some point you just have to try and see what works for your machine and needs.

734Y4ch_7M3_7r0@programming.dev on 30 Jul 03:18 collapse

You’re probably right. I just hoped to receive some valuable input. Thankfully, I did get some of that; so this wasn’t an exercise in vain.

siha@feddit.uk on 30 Jul 12:52 collapse

None of the popular distros will spy on you the way Windows or MacOS do, so privacy shouldn’t be a concern.

As for security, is it malware you fear? Without more specific context, the only thing that can be said for sure is that you should encrypt your drive (most distros will have the option to set that up during installation), and don’t sudo random commands you see on the internet without understanding what they do.

734Y4ch_7M3_7r0@programming.dev on 31 Jul 03:26 collapse

I believe I heard that there was some scandal involving Ubuntu, but perhaps I’m wrong. Please feel free to correct me. Are there any (other) distros that I should be weary of for privacy-sake?

For security, I want to be well-protected against any and all untargeted attacks. So protection against malware is included.

Thank you for the general notes/recommendations/advice about safe practices on Linux! Regarding sudo (and the terminal in general), I’ve just accepted that it will be part of my workflow going forward, even if the amount of times I had used it on Windows can probably be counted on one hand. Regardless, beyond not sudoing random commands, are there like rigid guidelines (or something) one should adhere to for safe/secure computing?

siha@feddit.uk on 01 Aug 21:17 collapse

The Ubuntu thing was about them making it opt-out rather than opt-in (so turned on by default), but it’s still nothing malicious and diesn’t collect any personal data. At least that’s how I remember it.

Also Linux doesn’t really have anti-viruses like Windows does (there are a few options for edgecases though). That is because Linux isn’t really targeted by malware developers as much and also Linux is actually designed to be secure.

As for general security tips, number 1 is probably using a password manager (I use a KeePassXC compatible client).

Also be careful with rm -rf. I almost deleted all the files in my home directory once. I have aliased rm to gio trash since.