Sorry to be that guy, but you should just sit down and go over Qubes OS' documentation. Some specific entries that might prove useful:

• How to organize your qubes
• How to install software
• How to install software in dom0
• Creating a Kali Linux TemplateVM

If you ask me, read a lot more beyond these. But if you really got no time, then at least suffice with the aforementioned.

Wish ya good luck!

I think we’ve probably already spoken on the matter.

That's definitely possible. Unfortunately, I don't recall it 😅.

Indeed, Lemmy has a serious dearth of users interested and using secure distros over the averages.

It's definitely better at this than the platform that starts with an "R" and rhymes with "shit".

Thanks for your efforts; I do not know how to follow users on Lemmy but if I did I’d follow you. Do you have a blog/any other forum you’re more active on?

That's such a compliment. This is definitely one of the nicest things I've read on Lemmy. I really appreciate it.

Unfortunately, I'm only somewhat active on Lemmy. FWIW, consider checking out the following places if you haven't yet:

• dataswamp.org/~solene
• privsec.dev
• tech.michaelaltfield.net/

And, of course, Qubes OS' forums.

Personally, I find it difficult to justify the time to learn Secureblue (especially the immutable part) or NixOS on Qubes because custom DispVMs with curated salt states work so well already. I’m interested in use-cases that will improve my security but I haven’t found any dialogue on this yet. If you do have opinions on this and know where I can look, I would greatly appreciate it!

As I've previously alluded to, I don't have any hands-on experience with Qubes OS yet. So, I don't think I can contribute meaningfully in this discussion. However, IIRC, there are some discussions found on the forums/discussions page for Qubes OS.

Please allow me to link to an earlier comment of mine that goes over this in more length. You may also find it copied-and-pasted down below:

First of all, apologies for delaying this answer.

Disclaimer:

• I'm not an expert. While I try to verify information and only accept it accordingly, I'm still human. Thus, some falsehoods may have slipped through, my memory may have failed me, and/or what's found below could be based on outdated data.
• Additionally, I should note that I'm a huge nerd when it comes to 'immutable' distros. As a result, I'm very much biased towards secureblue, even if Kicksecure were to address all of their 'issues'.
• Furthermore, for the sake of brevity, I've chosen to stick closely to the OOTB experience. At times, I may have diverged with Qubes OS, but Qubes OS is so far ahead of the others that it's in a league of its own.
• Finally, it's important to mention that -ultimately- these three systems are Linux' finest when it comes to security. In a sense, they're all winners, each with its use cases based on hardware specifications, threat models, and priorities. However, if forced to rank them, I would order them as:

Qubes OS >> secureblue >~ Kicksecure

Context: Answering this question puts me in a genuinely conflicted position 😅. I have immense respect for the Kicksecure project, its maintainers and/or developers. Their contributions have been invaluable, inspiring many others to pursue similar goals. Unsurprisingly, some of their work is also found in secureblue. So, to me, it feels unappreciative and/or ungrateful to criticize them beyond what I've already done. However, I will honor your request for the sake of providing a comprehensive and balanced perspective on the project's current state and potential areas for improvement.

Considerations: It's important to approach this critique with nuance. Kicksecure has been around for over a decade, and their initial decisions likely made the most sense when they started. However, the Linux ecosystem has changed dramatically over the last few years, causing some of their choices to age less gracefully. Unfortunately, like most similar projects, there's insufficient manpower to retroactively redo some of their earlier work. Consequently, many current decisions might be made for pragmatic rather than idealistic reasons. Note that the criticisms raised below lean more towards the idealistic side. If resources allowed, I wouldn't be surprised if the team would love to address these issues. Finally, it's worth noting that the project has sound justifications for their decisions. It's simply not all black and white.

With that out of the way, here's my additional criticism along with comparisons to Qubes OS and secureblue:

• Late adoption of beneficial security technologies: Being tied to Debian, while sensible in 2012, now presents a major handicap. Kicksecure is often late to adopt new technologies beneficial for security, such as PipeWire and Wayland. While well-tested products are preferred for security-sensitive systems, PulseAudio and X11 have significant exploits that are absent from PipeWire and Wayland by design. In this case, preferring the known threat over the unproven one is questionable.
  • Qubes OS: Its superior security model makes direct comparisons difficult. However, FWIW, Qubes OS defaults for its VMs to Debian and Fedora. The latter of which is known to push new technologies and adopt them first.
  • secureblue: Based on Fedora Atomic, therefore it also receives these new technologies first.
• Lack of progress towards a stateless^[1] system: Stateless systems improve security by reducing the attack surface and making the system more predictable and easier to verify. They minimize persistent changes, impeding malware's ability to maintain a foothold and simplifying system recovery after potential compromises. While this is still relatively unexplored territory, NixOS's impermanence module is a prominent example.
  • Qubes OS: There's a community-driven step-by-step guide for achieving this.
  • secureblue: Based on Fedora Atomic, which has prioritized combating state since its inception^[2]. Its immutable design inherently constrains state compared to traditional distros, with ongoing development promising further improvements.
• Deprecation of hardened_malloc: This security feature, found in GrapheneOS, was long championed by Kicksecure for Linux on desktop. However, they've recently chosen to deprecate it.
  • Qubes OS: Supports VMs with hardened_malloc enabled OOTB, for which Kicksecure used to be a great candidate.
  • secureblue: Continues to support hardened_malloc and has innovatively extended its use to flatpaks.

1. This paper provides a comprehensive (albeit slightly outdated) exposition on the matter. Note that it covers more than just this topic, so focus on the relevant parts.
2. Colin Walters, a key figure behind Fedora CoreOS and Fedora Atomic, has written an excellent blog post discussing 'state'.

I daily drive secureblue; or, to be more precise, its bluefin-main-userns-hardened image.

"Why?", you ask. Because security is my number one priority.

I dismiss other often mentioned hardened systems for the following reasons:

• Qubes OS; my laptop doesn't satisfy its hardware requirements. Otherwise, this would have been my daily driver.
• Kicksecure; primary reason would be how it's dependent on backports for security updates.
• Tails; while excellent for protection against forensics, its security model is far from impressive otherwise. It's not really meant as a daily driver for general use anyways.
• Spectrum OS; heavily inspired by Qubes OS and NixOS, which is a big W. Unfortunately, it's not ready yet.

Nix, the package manager, is distro-agnostic. Add Home Manager on top of it and you're good to go; both packages and dotfiles are dealt with.

Very curious. I didn't know this. I tried verifying this, but didn't manage to do so.

So, I got to ask; Was this just a joke? Or is there (some) truth to this claim?

Justice!

Does the problem persist after a reboot?

Your reply is much appreciated! Even though I am saddened by the content. And apologies for the upcoming long reply. I thank you in advance for reading through it all.

Imo

Thank you for weakening it with "Imo"! To clarify; it seemed as if the "authority" in "appeal to authority" was conflated with content creators. If this wasn't an appeal to authority in the first place, then please feel free to dismiss my earlier stated sentence.

Normally, I would have asked for clarification in order to prevent possible miscommunication. Unfortunately, after our first serious attempt at reconciling our differences failed miserably, I have instead chosen for a more direct approach in hopes of making it more accessible. It's also more prone to being misunderstood as confrontational, aggressive et cetera. But, if even my super sweet approach in the earlier mentioned conversation failed, I don't see why I should make it less accessible for all involved parties if it doesn't benefit either of us.

this shows your aggressive inability to accept opinions different to yours

I may as well accuse you of doing the same. But..., I don't. But somehow I'm perceived as the villain. I simply fail to understand.

On Lemmy, I engage for one reason, and for one reason only; to arrive at a mutual understanding. This manifests itself in multiple ways:

• I'm interested in the communities output on a certain query and engage with them through a post I create.
• I'm introduced to a new concept through a post/comment -> Search engines don't yield anything useful -> I ask a question in hopes of learning something new -> And hopefully that engagement yields new information for me; I'm primarily on the receiving end of 'profit'
• Someone poses something that I don't agree with or don't understand -> I engage in hopes of my understanding being proven wrong; as that results in the most new information; hence most profit -> Most often, it's somewhere in between; I might get a new perspective on something, but not too crazy. At times, though, the person I was engaging with had some notions that were not entirely backed up; hence, we both end up learning a thing or two
• Misinformation or fake news or misunderstanding or whatever known false fact is shared -> I engage in hopes of combating false notions. No profit; but you gotta do what you gotta do
• Question is asked, I happen to know an answer that might be helpful -> I contribute. No profit; but contributions are required to foster a nice community

To be clear; I love to accept valid criticism. Especially, if they provide me with new insights and polish my own ideas/notions. Heck, I've even been complimented on how I engage with them in one of our first interactions. And, if you've noticed, this very conversation below our current post is not very different. I just ask you to back up your claims so that I may learn from them. I want to accept them; new knowledge/insights/profit et cetera. But I can't simply accept your claims on the basis of nothing. That doesn't make any sense. That's not how epistemology works.

even if they are obviously more true.

If they're "obviously more true", then it should have been obviously easy to prove their truth. But, I've yet to receive a proof, even after I've explicitly asked you. Or, conversely, proof my falsehood. That's basically the problem at hand: you're less sensitive to back up your claims; even when pressed to do so. Instead, you choose to do whatever you did (or tried) in your most recent reply.

Or, I don't know, ask me how I'm so sure of my own convictions/judgements/ideas. But, and that's very curious; I don't recall you ever asking me a question. Isn't that the most obvious indication that I'm actively trying to engage with your ideas and your output? While you seem to be completely devoid of that. And, somehow, I've become the one that's regarded as possessing "aggressive inability to accept opinions different to yours, even if they are obviously more true.". Sorry, I simply can't take this serious 😅.

At this point I'm asking you to stop stalking me and making fun of me

Fam, you got some hate-boner towards Fedora, 'immutable' distros and especially their intersection; Fedora Atomic. Either educate yourself on them and act accordingly, or simply stop spreading misinformation. Either way, you'll never hear from me again. Related point; simply don't spread misinformation. Period.

making fun of me

I fail to see how I am even making fun of you. If you perceive 'pressing to back up claims' as making fun of you, then... I simply don't know what to say.

Thank you for the reply!

Disclaimer: After a couple of revisions and rewrites, I concluded that directness and conciseness was required. If my tone seems confrontational at times, I would like you to know that that's not my intent. Therefore, in such cases, I would like to friendly request you to assume the best. Thank you.

User-friendly articles

How is uBlue's documentation not user-friendly? Be specific and come with an example.

forums

Naive in a post-Discord world.

User-friendly articles and answers on forums to absolutely all more or less common issues

Based on what do you imply that uBlue's discourse and Discord has failed this? Again, be explicit and give an example.

It's very important for a new user imo. We shouldn't overwhelm them with choices and technical documentation.

Assumes new users to be sufficiently homogeneous in this regard. The silent majority is not accounted for.

choices

What choices?

If you don't believe me

I believe there's definitely some truth in your earlier made statements.

check some content creators. They all agree that we should just give them a popular distro like Mint or Ubuntu and let them progress as fast as they can.

Even if that's true, I think it's hilarious to appeal to their consensus 😂.

Recommending Fedora and especially its atomic spins without much documentation to a new user?

To be clear; while OP does mention "Fedora Silverblue" to introduce and contrast atomic distros to traditional ones, they only explicitly recommend uBlue images.

And while it's by no means as exhaustive as the ArchWiki or Gentoo Wiki, uBlue's documentation isn't a slouch either; I've seen far worse. If possible, could you name what's crucially missing?

Thank you for the clarifications!

Regarding what you mentioned on Debian; ultimately, you're a lot more experienced than I am with it. But, IIUC, Debian 12 should have done a great job at easing (new) users into its ecosystem. Not sure if it's sufficient though.

I'm well aware that both elementaryOS and its Pantheon DE were innovative and made major strides for user-friendliness a couple of years back. Hence, they rightfully earned a spot among the newbie-friendly distros. However, I might be wrong, but it feels as if they haven't been able to keep momentum. And therefore lost their significance.

If you think I'm wrong, please feel free to correct me; I would love to be educated on how elementaryOS has kept relevance (if they actually have).

but I don’t think immutable distro are a good place to start.

FWIW, the first distro I used and subsequently daily-drove^[1] was Fedora Silverblue over two years ago. The try-hard in me immediately started off (or at least tried) applying the hardening outlined in Madaidan's article. After banging my head for a week, I started actually using the system and it has been a very smooth ride ever since. The uBlue images are straight up better when it comes to the OOTB-experience without even mentioning the associated 'managed'^[2] aspect that comes with it. Therefore, I believe that they're perfectly suitable. They're not for everyone, but no distro is anyways.

1. I forgot to mention how simultaneously I quit Windows cold turkey as well.
2. The uBlue images are able to 'prevent' breakages that would otherwise affect everyone.

First of all, thank you for this! This effort is very much appreciated and will definitely make it easier to parse through Linux; especially for beginners.

Having said that, some personal nitpicks of mine:

• I absolutely love Fedora. But if it's named first on your list of beginner distros (presumably due to alphabetical ordering), then it better be easy as hell and work as expected OOTB. Unfortunately, that ain't the case. Hence, at least mentioning the Howto page of RPM Fusion would have been sensible to combat issues users might experience otherwise.
• I'm fine with the inclusion of openSUSE Aeon, but openSUSE Kalpa is literally in Alpha. Therefore, it's too early to be recommended.
• I'm personally not very bothered with Fedora Workstation on the list of distros geared towards beginners, while Debian is found on the list of power-user distros that beginners should avoid instead. (I'm a die hard Fedora fanboy anyways.) However, I am curious to your reasoning/justification.
• Alpine Linux was originally envisioned as an embedded-first distribution. Therefore, most of its design choices revolve around that; small, secure, simple et cetera. The way that you describe/depict Alpine Linux, is more in line with how I would for (what I'd refer to as) demonstrative distros like Artix and Devuan.

How do the 'offspring' of Mandrake/Mandriva compare to one another? IIRC, there's ALT, Mageia, OpenMandriva, PCLinuxOS and ROSA.

I've also come to the understanding that what set Mandrake apart from its peers was its polish and user-friendliness. Which, harbored a great community back in the days. Currently, however, this role is fulfilled by distros like Linux Mint. Furthermore, most distros are relatively straightforward anyways. So, my other questions would be:

• Could the argument be made that Linux Mint is the actual spiritual successor to Mandrake?
• Are the Mandrake-offspring's most compelling raison d'être that they're Mandrake's offspring?

Not the person you asked, but they might have referred to the fact that (technically) Qubes OS is not a Linux distro because it's based on Xen instead. Though, even then, we might refer to it as a Xen distro (if anything).

Got anything to back that up?

Compartmentalization buys you disposable VMs.

And more.

TAILS is amnesic, which is an improvement to this.

How? Please focus on the security merits.

Everything is lost between sessions

If this is your reasoning to justify your earlier statement, please explain how this outdoes Qubes OS when it comes to security.

Btw, it seems you're conflating protection against forensics with a proper security model. In terms of security, TAILS does not provide anything remotely comparable to Qubes OS. Qubes OS is literally built differently. In case you enjoy tables.

Windows 11 minimally requires: Memory: 4 gigabytes (GB) or greater.

Qubes OS minimally requires: Memory: 6 GB RAM