Qubes OS: A reasonably secure operating system
www.qubes-os.org
Qubes is a security-oriented, free and open-source operating system for personal computers that allows you to securely compartmentalize your digital life.

With all the supply chain attacks in the Linux ecosystem, isn’t the natural solution to move to full application sandboxing?

Flatpacking is great but not all applications support it.

Is it too much of a hassle?

  • warmaster@lemmy.world
    5·
    16 days ago

    I would try Secure blue first, if you are still comfy then try Qubes. Real security can be annoying. Test what’s your limit.

  • Anna@lemmy.ml
    4·
    15 days ago

    I’ve been daily driving Qubes OS for last 6 years. You don’t need to be an Linux expert but you should know basic things. And few common commands and maybe simple bash scripting if you want some level of customization

    Main thing is divide your personas,and create a Qubes for each of them. and if you just want to search for some random shit use disposable VMs

    My setup is something like this I’ve 3 debian and 3 fedora templates 1 minimal used for sys VMs and vault, 2 normal template here I only install packages only available in official debian/fedora, repos 3 in this template I add custom repos which are still trustworthy

    Then depending on what I need in which app on I assign the template.

    I’m forced to use zoom and other very intrusive apps for them I’ve just setup the rc.local script (this runs with start of any Qube) to install them

    Also even though Qubes provides isolation at Qube level I still use firejail inside all the VMs it just takes few minutes to setup and gives a peace of mind

    Also Hassel depends on what you use it for. Few pain points for me are

    1. Nested virtualization isn’t possible* there are some workarounds and in most cases it’s okay. The only problem is for Android app development. In that case the best solution is to just use adb and connect your own device

    2. PCI passthrough it was really terrible few years ago but now it works in most cases but for me sometimes my Laptop overheats. I don’t need it much often so i haven’t spent time to fix it.

  • communism@lemmy.ml
    3·
    15 days ago

    I’ve never daily driven it as my main machine but I’ve used it as an auxiliary driver for a more high-security machine. Afaik things like gaming are sort of a no-go on Qubes still.

    Qubes does not just do sandboxing. It runs all user programs in VMs, which adds non-negligible overhead and makes it an unsuitable OS for many more lightweight systems like laptops. And even if your PC can run Qubes without issue, you may not want that additional overhead if you want to do anything computationally intensive.

  • typhoon@lemmy.world
    2·
    15 days ago

    No. Security and privacy are necessary but are nothing if not balanced with convenience. A little sacrifice of convenience is necessary but Qubes and even Secureblue passed the mark in my rule. This comes from one that has in its installation: LUKS, Secure boot, TPM PCR 7 verification, Apparmor.d updates and enforced, UFW, dnscrypt, run0, AIDE, Lynis, auditd, checking reproducible packages, etc…

  • ghost_laptop@lemmy.ml
    2·
    16 days ago

    The latest attack on the AUR would be solvable by Nix, in theory, Qubes would still suffer from this, only it’s compartmentalized, whereas Nix would be safe from my understanding.