Hacker News: secureblue

New comment by secureblue in "Malicious versions of Nx and some supporting plugins were published"

secureblue — Wed, 27 Aug 2025 20:58:57 +0000

secureblue creator here :)

some corrections:

> last I heard it wasn't out of Beta or whatever yet

It is

> But it uses containers rather than VMs

It doesn't use plain containers for app isolation. We ship the OS itself as a bootable container (https://github.com/bootc-dev/bootc). That doesn't mean we use or recommend using containers for application isolation. Container support is actually disabled by default via our selinux policy restricting userns usage (this can be toggled though, of course). Containers on their own don't provide sandboxing. The syscall filtering for them is extremely weak. Flatpak (which sandboxes via bubblewrap: https://github.com/containers/bubblewrap) can be configured to be reasonably good, but we still encourage the use of VMs if needed. We provide one-click tooling for easily installing virt-manager (https://en.wikipedia.org/wiki/Virt-manager) if desired.

In short though, secureblue and Qubes aren't really analogous. We have different goals and target use cases. There is even an open issue on Qubes to add a template to use secureblue as a guest: https://github.com/QubesOS/qubes-issues/issues/9755

Secureblue: A security-focused desktop and server Linux operating system

secureblue — Sun, 09 Feb 2025 20:50:25 +0000

Article URL: https://secureblue.dev/

Comments URL: https://news.ycombinator.com/item?id=42993824

Points: 4

# Comments: 0

New comment by secureblue in "Secureblue: Hardened Fedora Atomic Images, F40 Release"

secureblue — Tue, 23 Apr 2024 19:59:10 +0000

We've been working hard to address feedback and make improvements over the last several months. Secureblue now has expanded hardening, improved documentation, and clearer scope.

Instructions are of course in the readme! :) https://github.com/secureblue/secureblue

Secureblue: Hardened Fedora Atomic Images, F40 Release

secureblue — Tue, 23 Apr 2024 19:55:55 +0000

Article URL: https://github.com/secureblue/secureblue/releases/tag/v2.0.0

Comments URL: https://news.ycombinator.com/item?id=40136527

Points: 3

# Comments: 1

Wayblue: Fedora Atomic Images for Wayland Compositors

secureblue — Sat, 09 Mar 2024 20:15:19 +0000

Article URL: https://github.com/wayblueorg/wayblue

Comments URL: https://news.ycombinator.com/item?id=39654412

Points: 13

# Comments: 2

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Sat, 16 Dec 2023 21:48:35 +0000

FYI, both userns and non-userns variants are now available. https://github.com/secureblue/secureblue/commit/38999d4123aa...

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Sat, 16 Dec 2023 02:54:53 +0000

Clearlinux has nothing comparable to this as far as I know: https://github.com/ublue-os/startingpoint

And it's also mainly geared towards server use cases, whereas this project is mainly focused on desktop users.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Sat, 16 Dec 2023 01:02:52 +0000

Just changed it. Thanks for the feedback!

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Sat, 16 Dec 2023 00:46:58 +0000

What is your distro doing that would make someone want to degoogle it?

Certain users have expressed a preference towards Brave instead of Chromium because in their view Brave's "degoogling" of chromium is preferable. That line is in the readme to clarify that this is not a concern for the project and not in scope.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Sat, 16 Dec 2023 00:45:57 +0000

Some people think that Brave is preferable to Chromium because they "degoogle" it.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Sat, 16 Dec 2023 00:44:39 +0000

Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege

Only bubblewrap would run as root, but yes this is a fair critique as this is an opinionated tradeoff. I'm considering adding a set of userns variants to give users the choice between the two.

the packages have a bad security reputation

By default we only enable the flathub-verified remote for this reason.

Just more attack surface if you didn't remove Firefox.

We're removing firefox.

... and pushing everybody into a less tested code path. Again, what is this trying to solve?

Around half of V8 vulnerabilities are enabled by JIT: https://microsoftedge.github.io/edgevr/posts/Super-Duper-Sec...

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Fri, 15 Dec 2023 23:58:16 +0000

As a follow up to this, given that bubblewrap-suid without userns vs bubblewrap with userns is a tradeoff, I could make it so both variants are published. This would give users choice between the two and be less opinionated. If this is wanted please open an issue for it and I'll add it.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Fri, 15 Dec 2023 23:33:09 +0000

I'm just making a judgement call for myself. Any other project ontop of Fedora increases the attack vector with its own maintainers.

Totally understandable.

an ISO

Small point of correction: we're not publishing ISOs.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Fri, 15 Dec 2023 23:28:08 +0000

Universal blue, the starting point for this project, is fedora based. https://universal-blue.org/

No other distro has the same level of immutable tooling or support for immutable variants at this time. Also, Fedora has selinux tooling and enforcing mode out of the box and they're working on further selinux improvements upstream, so we'll get that for free.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Fri, 15 Dec 2023 23:26:00 +0000

I'm a little concerned that degoogling would be necessary.

I don't follow. The readme specifically says it's not in scope.

How much of the user's privacy is this thing selling away in the name of "security"?

Nothing more or less than upstream fedora. The point of putting that in there is to make it so we don't get people opening issues to ask us to switch to Brave or what have you.

tradeoff

Yes, it's a tradeoff and it's made clear in the readme that we're doing this.

Why should I trust this? It's an unofficial respin by an anonymous user; why would a user trust it?

I would have the same question :)

As I said in another comment: All of the CICD is completely open and transparent. You can read through the github actions logs and build config to verify everything for yourself if you want.

New comment by secureblue in "Secureblue: Hardened Immutable Fedora Images"

secureblue — Fri, 15 Dec 2023 23:00:32 +0000

Most of this can be done with Ansible.

All of this can be done in several ways. Ansible, manually, a script, etc. Building it into an image just makes it more convenient.

So why should I download images from a 3rd party outside of the Fedora project?

All of the CICD is completely open and transparent. You can read through the github actions logs and build config to verify everything for yourself if you want.

If you really want to harden an OS with a good SElinux implementation you should try enabling user roles.

Agreed, that would be a massive improvement. There's a SIG upstream working on it.

Secureblue: Hardened Immutable Fedora Images

secureblue — Fri, 15 Dec 2023 21:55:18 +0000

Article URL: https://github.com/secureblue/secureblue

Comments URL: https://news.ycombinator.com/item?id=38659291

Points: 96

# Comments: 49