broadmode on Nostr: #Fedora #Silverblue provides an immutable root system where all userspace software is ...
#Fedora #Silverblue provides an immutable root system where all userspace software is either installed to Flatpak or containers.
This has numerous benefits:
1. Very difficult to brick your system, allowing you to maintain/evolve your desktop #linux setup over years.
2. There is an entire class of malware that relies on subverting the root filesystem and implanting itself as a super process. This is not possible with Silverblue.
3. Flatpaks are sandboxed and their permissions can be clamped down with Flatseal.
4. For the few packages that require system root, Silverblue lets you update the root system in a transactional manner using `ostree`; this will create a new immutable boot partition that can easily be rolled back. I install OpenSnitch, Mullvad, and rkhunter in the root system. Everything else goes to userspace.
This is the way.
Published at
2023-12-06 17:35:28Event JSON
{
"id": "67612c090961765bcb40cef4139c22130ba1a9ad2ff9b4622b8f3925007b7e88",
"pubkey": "356875ffd729b06eeb4c1d7a70a1f750045d067774d21c0faffe4af2bf96a2e8",
"created_at": 1701884128,
"kind": 1,
"tags": [
[
"t",
"Fedora"
],
[
"t",
"Silverblue"
],
[
"t",
"linux"
]
],
"content": "#Fedora #Silverblue provides an immutable root system where all userspace software is either installed to Flatpak or containers.\n\nThis has numerous benefits:\n\n1. Very difficult to brick your system, allowing you to maintain/evolve your desktop #linux setup over years.\n\n2. There is an entire class of malware that relies on subverting the root filesystem and implanting itself as a super process. This is not possible with Silverblue.\n\n3. Flatpaks are sandboxed and their permissions can be clamped down with Flatseal. \n\n4. For the few packages that require system root, Silverblue lets you update the root system in a transactional manner using `ostree`; this will create a new immutable boot partition that can easily be rolled back. I install OpenSnitch, Mullvad, and rkhunter in the root system. Everything else goes to userspace.\n\nThis is the way.\nhttps://m.primal.net/HSlR.png",
"sig": "c2f2998de6ec0916540c65e63d972347590833ce7b7412d8e9f34b58d0db87cff23866336a82b5ea195f3e899dfdf03fd731b8ab9bade95620b0d85e21a0ff52"
}
