How does Kicksecure compare to Silverblue?

Support
1

How does Kicksecure compare to Silverblue?

2

Created just now to answer this:

1 Like
3

Silverblue/secureblue does not have a live-mode - it is seriously inferior to Kicksecure. I think many people like kicksecure for its live mode.

4

Kicksecure uses sudo. Secureblue now uses run0. See Release v4.2.0 - secureblue goes sudoless! · secureblue/secureblue · GitHub.

In a continuing effort to minimize and eventually eliminate suid-root binaries, sudo, su, and pkexec have all been removed from the images. As noted at the end of this section of the postinstall readme, polkit prompts and manual polkit invokations via run0 can be used to accomplish the same functionality without suid-root, notably even for non-wheel users (by prompting for the wheel user’s password). In addition, suid-root has been removed from numerous other binaries that don’t require it.

5

How does Kicksecure compare to Silverblue?

Silverblue/Secureblue is an atomic-based distribution. Updates to the system are done in one go via updating the entire system image. This is very different than debian/kicksecure, which updates via individual packages and allows the user to install/remove packages at will.

Because of the above, graphical installations are not installed via fedora’s package repository. They are instead installed via flatpak, which provides containerized applications that “keep themselves separate from the base system” and “allow for fine-grained control over their permissions.” See Fedora Silverblue | The Fedora Project.

This is in contrast to debian/kicksecure. While debian/kicksecure allow for flatpaks, the primary way of installing applications is from the debian and kicksecure package repositories (as well as other repositories that the user may add). This means that most applications run without a sandbox by default. However, the choice to use flatpaks as a primary method of app distribution by Secureblue means that they have to deal with the downsides of flatpak. See the (controversial) opinions Flatpak - a security nightmare and Linux | Madaidan's Insecurities.

Also, kicksecure/debian rely on old “stable” packages with security fixes that receive CVEs backported to them. This has been criticized for missing many security vulnerabilities that do not receive CVEs. From the (controversial) madaidan article-

A myriad of common Linux distributions, including Debian, Ubuntu, RHEL/CentOS, among numerous others use what’s known as a “stable” software release model. This involves freezing packages for a very long time and only ever backporting security fixes that have received a CVE. However, this approach misses the vast majority of security fixes. Most security fixes do not receive CVEs because either the developer simply doesn’t care or because it’s not obvious whether or not a bug is exploitable at first.

Distribution maintainers cannot analyse every single commit perfectly and backport every security fix, so they have to rely on CVEs, which people do not use properly. For example, the Linux kernel is particularly bad at this. Even when there is a CVE assigned to an issue, sometimes fixes still aren’t backported, such as in the Debian Chromium package, which is still affected by many severe and public vulnerabilities, some of which are even being exploited in the wild.

This is in contrast to a rolling release model, in which users can update as soon as the software is released, thereby acquiring all security fixes up to that point.

By contrast, Silverblue/Secureblue is based on fedora, which is likely to have newer packages. Newer packages will presumably have the security fixes up to that point without backporting, although it is possible for newer packages to accidentally break previous security patches. It is also possible for newer packages to introduce new bugs and new vulnerabilities. Flatpaks will also usually have the newest software available.

Additionally, Silverblue/Secureblue uses the GNOME desktop environment and presumably the Wayland protocol by default. By contrast, debian/kicksecure uses the xfce desktop environment and the X11 display server by default. X11 is thought to be less secure than Wayland due to lack of GUI isolation. See madaidan again

Another example of Flatpak’s broad permissions is how it allows unfiltered access to the X11 socket, permitting easy sandbox escapes due to X11’s lack of GUI isolation. Adding X11 sandboxing via a nested X11 server, such as Xpra, would not be difficult, but Flatpak developers refuse to acknowledge this and continue to claim, “X11 is impossible to secure”.

Because kicksecure uses xfce and x11, kicksecure has this problem, while silverblue does not. However, the development team behind xfce is working on making the desktop environment compatible with wayland. Kicksecure can switch to wayland after xfce releases a version that supports wayland.

To sum up, those are four big differences-

  1. “Atomic” distribution vs. traditional distribution
  2. Level of reliance on flatpak
  3. Newness of the packages
  4. Wayland vs. X11

And there are other differences, but those are four big ones.

6

And I would like to add “Flatpak is messy”. What I mean with that:

The packaging quality on Flathub is a lot lower than in Debian repository. Debian packaging is strict and quality work. Flathub has taken shortcuts, which is completely ignoring the issue of EmbeddedCopies.

Flatpak Sandbox Security

7

The notes at http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Dev/secureblue has comments regarding non-userns variants. This is no longer correct, because secureblue has merged the two variants in the latest version. See Release v4.3.0 - SELinux-restricted user namespaces, and much more! · secureblue/secureblue · GitHub for a full explanation. Also see Secureblue - Immutable Fedora Hardening - #147 by RoyalOughtness - Tool Suggestions - Privacy Guides Community .

8

duh yeah its great, I turn it on when i do my banking and the likes.