So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.
My priorities are:
- Using Linux.
- Using Firefox.
- Security, within reason.
- Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).
My options are:
- Fedora Kinoite
- Fedora KDE with some hardening
- Secureblue
My needs are:
- Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
- Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
- Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
- Sound: Bluetooth headphones, Sound, Printing (Optional)
I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.
On Firefox:
- I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
- Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
- In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
- Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
- I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).
Security goals:
- I want to make sure the software I install don’t have access to anything they don’t need to.
- I want to make sure that any website I visit won’t be able to access my file system.
- I want to make sure that my browser extensions won’t be able to access my file system.
- I want to use a distro that’s somewhat resilient against supply chain attacks.
- Proximity to upstream for timely security patches.
I’m after security against malware and websites to prevent my email or government services from being accessed maliciously, but I want to do so without over-relying on the obscurity of Linux and Firefox.
In other words, I want to do my due diligence on security.
Malware in the traditional sense, as in a malicious program that sneaks its way onto your machine and runs a dangerous payload, is far far more common on Linux machines with open ports acting as servers on the internet. And even then, I’d wager that’s less than 1% of the malware out there that specifically targets Windows simply due to market share. With that in mind, plain old Fedora will do just fine, especially if you leave SELinux enabled; many tutorials have you disable it if it interferes with apps/services you want to run, but they’re simply being lazy, working around SELinux can be obscure at times, but it’s still worth doing, and keeping it running rather than disabling it.
Malicious webpages and phishing attempts are more likely to cause you trouble on Linux, and the OS can only do so much to protect you there. Securing against those is more about vigilance and wisdom, which it sounds like you’ve got covered honestly!
In terms of phishing I am very prepared. In terms of malicious webpages not really. Noscript probably helps but I click on basically any link with no regard for safety, and if it doesn’t work I normally give it any javascript permissions it asks for (except wasm, unrestricted css, LAN, and other). Plus there’s the added risk of browser extension supply chain attacks that I’ve been getting increasingly paranoid about.
I think you’re right about software. If I use SELinux, and especially if I use a hardened profile on it, then I should be reasonably secure. If I uninstall sudo and switch to run0 (which I prefer using anyway) then malware probably wouldn’t be able to do much of anything if it escapes the sandbox. I’ve heard everywhere that Fedora and OpenSUSE are relatively good on security so I have every reason to trust your assessment.
I have openSUSE on my main machine, with SELinux. They are more security focused by default than some other distros.
Firewall on by default, SELinux enforcing by default, sudo needs root password-not just passwordless or same user password like some distros. There’s a YAST GUI hardening App so you can see what passes best security practise and what needs attention. Zypper has various patch commands so you see a list of what patches are available, their critical/recommended status, and weather they are installed or unneeded for your setup. Also ability to apply patches by CVE numbers.
SELinux can be frustrating initially, until you get used to how it works. I.e. I setup shared network folders but couldn’t see data in some folders, it was because copying files into the folder to be served doesn’t automatically give access over the share, there needs to be SEL policy assigned to the files which you establish the policy and then can apply to all files in the folder.
I had a bad experience with OpenSUSE in the past. I’m also nostalgic for that time (mainly because of the colour scheme I had on KDE at the time) but at the moment I want to try Fedora or Secureblue.
Yeah, all good choices.