mirror of
https://github.com/PrivSec-dev/privsec.dev.git
synced 2025-01-09 14:19:28 -05:00
6b30fb93fe
Signed-off-by: Tommy <contact@tommytran.io>
11 lines
26 KiB
HTML
11 lines
26 KiB
HTML
<!doctype html><html lang=en dir=auto><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Choosing Your Desktop Linux Distribution | PrivSec.dev</title><meta name=keywords content="operating system,security,linux"><meta name=description content="Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.
|
||
Release cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
|
||
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer."><meta name=author content="Tommy"><link rel=canonical href=https://privsec.dev/os/choosing-your-desktop-linux-distribution/><link crossorigin=anonymous href=/assets/css/stylesheet.8b523f1730c922e314350296d83fd666efa16519ca136320a93df674d00b6325.css integrity="sha256-i1I/FzDJIuMUNQKW2D/WZu+hZRnKE2MgqT32dNALYyU=" rel="preload stylesheet" as=style><script defer crossorigin=anonymous src=/assets/js/highlight.f413e19d0714851f6474e7ee9632408e58ac146fbdbe62747134bea2fa3415e0.js integrity="sha256-9BPhnQcUhR9kdOfuljJAjlisFG+9vmJ0cTS+ovo0FeA=" onload=hljs.initHighlightingOnLoad()></script>
|
||
<link rel=icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=16x16 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=icon type=image/png sizes=32x32 href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=apple-touch-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><link rel=mask-icon href=https://privsec.dev/%3Clink%20/%20abs%20url%3E><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><noscript><style>#theme-toggle,.top-link{display:none}</style></noscript><meta property="og:title" content="Choosing Your Desktop Linux Distribution"><meta property="og:description" content="Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.
|
||
Release cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
|
||
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer."><meta property="og:type" content="article"><meta property="og:url" content="https://privsec.dev/os/choosing-your-desktop-linux-distribution/"><meta property="article:section" content="os"><meta name=twitter:card content="summary"><meta name=twitter:title content="Choosing Your Desktop Linux Distribution"><meta name=twitter:description content="Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.
|
||
Release cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.
|
||
For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":2,"name":"Operating Systems","item":"https://privsec.dev/os/"},{"@type":"ListItem","position":3,"name":"Choosing Your Desktop Linux Distribution","item":"https://privsec.dev/os/choosing-your-desktop-linux-distribution/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Choosing Your Desktop Linux Distribution","name":"Choosing Your Desktop Linux Distribution","description":"Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.\nRelease cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.\nFor frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer.","keywords":["operating system","security","linux"],"articleBody":"Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.\nRelease cycle You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.\nFor frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such example) rather than bump the software to the “next version” released by the upstream developer. Some security fixes do not receive a CVE (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.\nHolding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. Richard Brown has a presentation about this:\nTraditional and Atomic updates Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating.\nAtomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic.\nA transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state.\"\nAdam Šamalík has a presentation with rpm-ostree in action:\nEven if you are worried about the stability of the system because of regularly updated packages (which you shouldn’t), it makes more sense to use a system which you can safely update and rollback instead of an outdated distribution partially made up of unreliable backport packages without an easy to actually roll back in case something goes wrong like Debian.\nArch-based distributions Acrh Linux has very up to date packages with minimal downstream patching. That being said, Arch based distributions are not recommended for those new to Linux, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.\nFor a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a mandatory access control system, setting up kernel module blacklists, hardening boot parameters, manipulating sysctl parameters, and knowing what components they need such as Polkit.\nIf you are experienced with Linux and wish to use an Arch-based distribution, you should use Arch Linux proper, not any of its derivatives. Here are some examples of why that is the case:\nManjaro: This distribution holds packages back for 2 weeks to make sure that their own changes do not break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest libraries from Arch’s repositories. Garuda: They use Chaotic-AUR which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks. Kicksecure While you should not use an outdated distributions like Debian, if you decide to use it, it would be a good idea to convert it into Kicksecure. Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default.\n“Security-focused” distributions There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use.\nLinux-libre kernel and “Libre” distributions Do not the Linux-libre kernel, since it removes security mitigations and suppresses kernel warnings about vulnerable microcode for ideological reasons.\nIf you want to use one of these distributions for reasons other than ideology, you should make sure that they there is a way to easily obtain, install and update a proper kernel and missing firmware. For example, if you are looking to use GUIX, you should absolutely use something like the Nonguix repository and get all of the fixes as mentioned above.\nWayland You should a desktop environment that supports the Wayland display protocol as it developed with security in mind. Its predecessor, X11, does not support GUI isolation, allowing all windows to record screen, log and inject inputs in other windows, making any attempt at sandboxing futile. While there are options to do nested X11 such as Xpra or Xephyr, they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.\nFortunately, common environments such as GNOME, KDE, and the window manager Sway have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in hard maintenance mode. If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager (GDM, SDDM).\nTry not to use desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.\n","wordCount":"944","inLanguage":"en","datePublished":"0001-01-01T00:00:00Z","dateModified":"0001-01-01T00:00:00Z","author":{"@type":"Person","name":"Tommy"},"mainEntityOfPage":{"@type":"WebPage","@id":"https://privsec.dev/os/choosing-your-desktop-linux-distribution/"},"publisher":{"@type":"Organization","name":"PrivSec.dev","logo":{"@type":"ImageObject","url":"https://privsec.dev/%3Clink%20/%20abs%20url%3E"}}}</script></head><body class=dark id=top><script>localStorage.getItem("pref-theme")==="light"&&document.body.classList.remove("dark")</script><header class=header><nav class=nav><div class=logo><a href=https://privsec.dev accesskey=h title="PrivSec.dev (Alt + H)">PrivSec.dev</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=https://privsec.dev/knowledge/ title="Knowledge Base"><span>Knowledge Base</span></a></li><li><a href=https://privsec.dev/os/ title="Operating Systems"><span>Operating Systems</span></a></li><li><a href=https://privsec.dev/apps/ title=Applications><span>Applications</span></a></li><li><a href=https://privsec.dev/providers/ title=Providers><span>Providers</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=https://privsec.dev>Home</a> » <a href=https://privsec.dev/os/>Operating Systems</a></div><h1 class=post-title>Choosing Your Desktop Linux Distribution</h1><div class=post-meta>5 min · 944 words · Tommy | <a href=https://github.com/PrivSec-dev/privsec.dev/blob/main/content/os/Choosing%20Your%20Desktop%20Linux%20Distribution.md rel="noopener noreferrer" target=_blank>Suggest Changes</a></div></header><div class=toc><details><summary accesskey=c title="(Alt + C)"><span class=details>Table of Contents</span></summary><div class=inner><ul><li><a href=#release-cycle aria-label="Release cycle">Release cycle</a></li><li><a href=#traditional-and-atomic-updates aria-label="Traditional and Atomic updates">Traditional and Atomic updates</a></li><li><a href=#arch-based-distributions aria-label="Arch-based distributions">Arch-based distributions</a></li><li><a href=#kicksecure aria-label=Kicksecure>Kicksecure</a></li><li><a href=#security-focused-distributions aria-label="“Security-focused” distributions">“Security-focused” distributions</a></li><li><a href=#linux-libre-kernel-and-libre-distributions aria-label="Linux-libre kernel and “Libre” distributions">Linux-libre kernel and “Libre” distributions</a></li><li><a href=#wayland aria-label=Wayland>Wayland</a></li></ul></div></details></div><div class=post-content><p>Not all Linux distributions are created equal. When choosing a Linux distribution, there are several things you need to keep in mind.</p><h3 id=release-cycle>Release cycle<a hidden class=anchor aria-hidden=true href=#release-cycle>#</a></h3><p>You should choose a distribution which stays close to the stable upstream software releases, typically rolling release distributions. This is because frozen release cycle distributions often don’t update package versions and fall behind on security updates.</p><p>For frozen distributions, package maintainers are expected to backport patches to fix vulnerabilities (Debian is one such <a href=https://www.debian.org/security/faq#handling>example</a>) rather than bump the software to the “next version” released by the upstream developer. Some security fixes <a href=https://arxiv.org/abs/2105.14565>do not</a> receive a <a href=https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures>CVE</a> (particularly less popular software) at all and therefore do not make it into the distribution with this patching model. As a result minor security fixes are sometimes held back until the next major release.</p><p>Holding packages back and applying interim patches is generally not a good idea, as it diverges from the way the developer might have intended the software to work. <a href=https://rootco.de/aboutme/>Richard Brown</a> has a presentation about this:</p><div style=position:relative;padding-bottom:56.25%;height:0;overflow:hidden><iframe src=https://www.youtube-nocookie.com/embed/i8c0mg_mS7U style=position:absolute;top:0;left:0;width:100%;height:100%;border:0 allowfullscreen title="YouTube Video"></iframe></div><h3 id=traditional-and-atomic-updates>Traditional and Atomic updates<a hidden class=anchor aria-hidden=true href=#traditional-and-atomic-updates>#</a></h3><p>Traditionally, Linux distributions update by sequentially updating the desired packages. Traditional updates such as those used in Fedora, Arch Linux, and Debian based distributions can be less reliable if an error occurs while updating.</p><p>Atomic updating distributions apply updates in full or not at all. Typically, transactional update systems are also atomic.</p><p>A transactional update system creates a snapshot that is made before and after an update is applied. If an update fails at any time (perhaps due to a power failure), the update can be easily rolled back to a “last known good state."</p><p><a href=https://twitter.com/adsamalik>Adam Šamalík</a> has a presentation with <code>rpm-ostree</code> in action:</p><div style=position:relative;padding-bottom:56.25%;height:0;overflow:hidden><iframe src=https://www.youtube-nocookie.com/embed/-hpV5l-gJnQ style=position:absolute;top:0;left:0;width:100%;height:100%;border:0 allowfullscreen title="YouTube Video"></iframe></div><p>Even if you are worried about the stability of the system because of regularly updated packages (which you shouldn’t), it makes more sense to use a system which you can safely update and rollback instead of an outdated distribution partially made up of unreliable backport packages without an easy to actually roll back in case something goes wrong like Debian.</p><h3 id=arch-based-distributions>Arch-based distributions<a hidden class=anchor aria-hidden=true href=#arch-based-distributions>#</a></h3><p>Acrh Linux has very up to date packages with minimal downstream patching. That being said, Arch based distributions are not recommended for those new to Linux, regardless of the distribution. Arch does not have an distribution update mechanism for the underlying software choices. As a result you have to stay aware with current trends and adopt technologies as they supersede older practices on your own.</p><p>For a secure system, you are also expected to have sufficient Linux knowledge to properly set up security for their system such as adopting a <a href=https://en.wikipedia.org/wiki/Mandatory_access_control>mandatory access control</a> system, setting up <a href=https://en.wikipedia.org/wiki/Loadable_kernel_module#Security>kernel module</a> blacklists, hardening boot parameters, manipulating <a href=https://en.wikipedia.org/wiki/Sysctl>sysctl</a> parameters, and knowing what components they need such as <a href=https://en.wikipedia.org/wiki/Polkit>Polkit</a>.</p><p>If you are experienced with Linux and wish to use an Arch-based distribution, you should use Arch Linux proper, not any of its derivatives. Here are some examples of why that is the case:</p><ul><li><strong>Manjaro</strong>: This distribution holds packages back for 2 weeks to make sure that their own changes do not break, not to make sure that upstream is stable. When AUR packages are used, they are often built against the latest <a href=https://en.wikipedia.org/wiki/Library_(computing)>libraries</a> from Arch’s repositories.</li><li><strong>Garuda</strong>: They use <a href=https://aur.chaotic.cx/>Chaotic-AUR</a> which automatically and blindly compiles packages from the AUR. There is no verification process to make sure that the AUR packages don’t suffer from supply chain attacks.</li></ul><h3 id=kicksecure>Kicksecure<a hidden class=anchor aria-hidden=true href=#kicksecure>#</a></h3><p>While you should not use an outdated distributions like Debian, if you decide to use it, it would be a good idea to <a href=https://www.kicksecure.com/wiki/Debian>convert</a> it into <a href=https://www.kicksecure.com/>Kicksecure</a>. Kicksecure, in oversimplified terms, is a set of scripts, configurations, and packages that substantially reduce the attack surface of Debian. It covers a lot of privacy and hardening recommendations by default.</p><h3 id=security-focused-distributions>“Security-focused” distributions<a hidden class=anchor aria-hidden=true href=#security-focused-distributions>#</a></h3><p>There is often some confusion about “security-focused” distributions and “pentesting” distributions. A quick search for “the most secure Linux distribution” will often give results like Kali Linux, Black Arch and Parrot OS. These distributions are offensive penetration testing distributions that bundle tools for testing other systems. They don’t include any “extra security” or defensive mitigations intended for regular use.</p><h3 id=linux-libre-kernel-and-libre-distributions>Linux-libre kernel and “Libre” distributions<a hidden class=anchor aria-hidden=true href=#linux-libre-kernel-and-libre-distributions>#</a></h3><p><strong>Do not</strong> the Linux-libre kernel, since it <a href="https://www.phoronix.com/scan.php?page=news_item&px=GNU-Linux-Libre-5.7-Released">removes security mitigations</a> and <a href="https://news.ycombinator.com/item?id=29674846">suppresses kernel warnings</a> about vulnerable microcode for ideological reasons.</p><p>If you want to use one of these distributions for reasons other than ideology, you should make sure that they there is a way to easily obtain, install and update a proper kernel and missing firmware. For example, if you are looking to use <a href=https://guix.gnu.org/en/download/>GUIX</a>, you should absolutely use something like the <a href=https://gitlab.com/nonguix/nonguix>Nonguix</a> repository and get all of the fixes as mentioned above.</p><h3 id=wayland>Wayland<a hidden class=anchor aria-hidden=true href=#wayland>#</a></h3><p>You should a desktop environment that supports the <a href=https://en.wikipedia.org/wiki/Wayland_(display_server_protocol)>Wayland</a> display protocol as it developed with security <a href=https://lwn.net/Articles/589147/>in mind</a>. Its predecessor, <a href=https://en.wikipedia.org/wiki/X_Window_System>X11</a>, does not support GUI isolation, allowing all windows to <a href=https://blog.invisiblethings.org/2011/04/23/linux-security-circus-on-gui-isolation.html>record screen, log and inject inputs in other windows</a>, making any attempt at sandboxing futile. While there are options to do nested X11 such as <a href=https://en.wikipedia.org/wiki/Xpra>Xpra</a> or <a href=https://en.wikipedia.org/wiki/Xephyr>Xephyr</a>, they often come with negative performance consequences and are not convenient to set up and are not preferable over Wayland.</p><p>Fortunately, common environments such as <a href=https://www.gnome.org>GNOME</a>, <a href=https://kde.org>KDE</a>, and the window manager <a href=https://swaywm.org>Sway</a> have support for Wayland. Some distributions like Fedora and Tumbleweed use it by default, and some others may do so in the future as X11 is in <a href="https://www.phoronix.com/scan.php?page=news_item&px=X.Org-Maintenance-Mode-Quickly">hard maintenance mode</a>. If you’re using one of those environments it is as easy as selecting the “Wayland” session at the desktop display manager (<a href=https://en.wikipedia.org/wiki/GNOME_Display_Manager>GDM</a>, <a href=https://en.wikipedia.org/wiki/Simple_Desktop_Display_Manager>SDDM</a>).</p><p>Try <strong>not</strong> to use desktop environments or window managers that do not have Wayland support such as Cinnamon (default on Linux Mint), Pantheon (default on Elementary OS), MATE, Xfce, and i3.</p></div><footer class=post-footer><ul class=post-tags><li><a href=https://privsec.dev/tags/operating-system/>operating system</a></li><li><a href=https://privsec.dev/tags/security/>security</a></li><li><a href=https://privsec.dev/tags/linux/>linux</a></li></ul><nav class=paginav><a class=next href=https://privsec.dev/os/docker-and-oci-hardening/><span class=title>Next »</span><br><span>Docker and OCI Hardening</span></a></nav></footer></article></main><footer class=footer><span>© 2022 <a href=https://privsec.dev>PrivSec.dev</a></span>
|
||
<span>Powered by
|
||
<a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
|
||
<a href=https://github.com/adityatelange/hugo-PaperMod/ rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script><script>document.querySelectorAll("pre > code").forEach(e=>{const n=e.parentNode.parentNode,t=document.createElement("button");t.classList.add("copy-code"),t.innerHTML="copy";function s(){t.innerHTML="copied!",setTimeout(()=>{t.innerHTML="copy"},2e3)}t.addEventListener("click",t=>{if("clipboard"in navigator){navigator.clipboard.writeText(e.textContent),s();return}const n=document.createRange();n.selectNodeContents(e);const o=window.getSelection();o.removeAllRanges(),o.addRange(n);try{document.execCommand("copy"),s()}catch{}o.removeRange(n)}),n.classList.contains("highlight")?n.appendChild(t):n.parentNode.firstChild==n||(e.parentNode.parentNode.parentNode.parentNode.parentNode.nodeName=="TABLE"?e.parentNode.parentNode.parentNode.parentNode.parentNode.appendChild(t):e.parentNode.appendChild(t))})</script></body></html> |