jamesbunagna

Is this a good list?

The link definitely provides some good info. It's better than nothing. However, it may or may not fall short based on how secure you'd like to make your system.

Anything else I should do to secure a Mint install?

What is it you're trying to protect and from whom? Whenever the topic of security comes up, one simply can't engage meaningfully without mentioning a threat model.

In this case, I'll assume you're just your average Joe. And, depending on how you engage with your system, Linux Mint might be fit from the get-go. However, if you actively engage in downloading random jank from the internet and have 'survived' with the help of Microsoft Defender Antivirus, then you should know that a safety net as such doesn't exist over on this side. Sure, security through obscurity might save your ass a couple of times. But it's inevitably a losing battle.

So, without knowing your threat model, note the following important advice that the article somehow hasn't touched upon:

• Know that you, the user, are the largest attack surface. Even if some distros like Fedora and openSUSE (with the latter AFAIK scoring the best^[1]^ according to Lynis) actually put in great work to offer pretty secure systems, they absolutely won't be able to protect you against yourself.

1. It's important to mention that this excludes security-first distros like Kicksecure and secureblue. Nor is Qubes OS considered as it's technically not even a Linux distro. Other distros like Tails or Whonix are also not considered as they're not meant to be used as daily drivers and/or for general use.

Lots of good answers already, but a hidden gem has yet to be mentioned: Endless OS. TL;DR: it's an immutable distro based on Debian. As for the home directory, please consider one of the many solutions provided by others in this thread. Good luck!

Yes and no.

Has it got its own set of rules you'd have to learn and thus an accompanying learning ~~curve~~ bump? Sure. Which, in actuality is mostly just knowing that Flatseal is your go-to whenever a flatpak causes issues.

Is it a surefire method after you've become accustomed with it? Absolutely. All kinds of jankiness can prevent any piece of software from working on your system. With Flatpak, especially on distros that enable it by default, you at least know that your system isn't the culprit.

Besides, Flatpak is enabled by default on Linux Mint. The PCSX2 flatpak is even verified. So no additional setting up or whatsoever is required.

What makes you weary besides what's already stated above?

Unfortunately, I don't know either. From my understanding, X11 as a whole is supported. Therefore, you should be able to hack your way through this. I suppose the installation instructions for Ubuntu should closely align to what's required for Debian. So that's your starting point.

what does the community think of it?

It's important to note how the Linux community interacts with change. In the past, whenever a change has been significant enough to influence individual workflows, it often provoked strong reactions. This was evident when systemd was introduced and adopted by distros like Arch and Debian. Even though systemd was arguably superior in essential aspects for most users, it failed to meet the needs of at least a vocal minority. Consequently, community endeavors were set up to enable the use of Debian or Arch without systemd.

Similarly, the introduction of immutable distributions seems to upset some people, though (at least to me) it's unjustified. Immutable distributions don't necessarily alter the traditional model. For instance, the existence of Fedora Silverblue doesn't impose changes on traditional Fedora; let alone Arch or Debian.

But, overall, most Linux users aren't bothered by it. Though, they often don't see a use for themselves. Personally, I attribute this at least in part to existing misconceptions and misinformation on the subject matter. Though, still, a minority^[1]^ (at best ~10%) actually prefers and uses 'immutable' distros.

Do the downsides outweigh the benefits or vice versa?

Depends entirely on what you want out of your system. For me, they absolutely do. But it's important to note that the most important thing they impose on the user is the paradigm shift that comes with going 'immutable'. And this is actually what traditional Linux users are most bothered by. But if you're unfamiliar with Linux conventions, then you probably won't even notice.

As a side note, it's perhaps important to note that the similarities between traditional distros are greater than the similarities between immutable distros. Also, Fedora Atomic is much more like traditional Fedora than it is similar to, say, openSUSE Aeon or Vanilla OS. Grouping them together as if they are a cohesive group with very similar attributes is misleading. Of course, they share a few traits, but overall, the differences are far more pronounced.

Therefore, it is a false dichotomy to simply label them as traditional distros versus immutable distros. Beyond these names, which we have assigned to them, these labels don't actually adequately explain how these systems work, how they interact, how their immutability is achieved (if at all), what underlying technologies they use, or how they manage user interactions. The implications of the above. Etc.

Could this help Linux reach more mainstream audiences?

The success of the Steam Deck and its SteamOS are the most striking and clear proof of this. So, yes. Absolutely.

1. Not accounting SteamOS users.

Nixos tends to lean on the term reproducible instead of immutable, because you can have settings (e.g files in /etc & ~/.config) changed outside of nix's purview, it just won't be reproducible and may be overwritten by nix.

Interesting. If possible, could you more explicitly draw comparisons on how this isn't quite the same over on say Fedora Atomic? Like, sure changes of /etc are (at least by default) being kept track of. But you indeed can change it. libostree doesn't even care what you do in your home folder. Thus, changes to e.g. ~/.config (and everything else in /var^[1]^) are kept nowhere else by default.

1. Which happens to be more crowded than on other distros as folders like /opt are actually found here as well.

In your opinion, when can we refer to a distro as being immutable? How do you regard the likes of Fedora Atomic, openSUSE Aeon or Vanilla OS? Are any of these immutable in your opinion?

Thank you for chiming in and providing your thoughts!

While we're at it, I absolutely appreciate your work. Wonderful stuff! Thank you from the bottom of my heart!

UKI is something we very much want to do in the future, but it’s a long-term goal

That's lovely to hear!

As far as replacing the init system, I think even in traditional Fedora that would be extremely challenging, but it could probably be done as a custom image.

Aight. I'll change the list then. Thank you for enlightening me on this. The feasibility as a custom image is really encouraging; perhaps I'll give it a go 😜.

Bazzite seemed much closer to being truely immutable

If you meant that it's even harder to tinker/change/configure etc compared to SteamOS, then I'd like to inform you that this is false. Fedora Atomic, and thus Bazzite, facilitates quite a lot actually. Of course, it's not as moldable as say Arch or Gentoo. To illustrate this, I won't bother you with all the things it can do. Because that would take a while. Instead, I'll only focus on the things it actually can not do. On the top of my head, the following comes to mind:

• ~~Rip systemd out and replace it with another init, but I'm unaware if traditional Fedora even facilitates this to begin with.~~ Bazzite's founder came by and corrected me on this. Even this is probably possible as a custom image.
• UKI
• Setup systemd-boot (or any other bootloader) instead of GRUB
• Kmods can be hit or miss; what's found here is accessible. What remains can be very finicky.
• 3rd party repositories can be hit or miss; for example, both Terra and Tailscale work, but e.g. ProtonVPN may not.

Thanks for the nice chitchat! Have a nice day!

Intially looked at Bazzite, which seemed great other than I wasn’t a fan of it immutability, I’ve had to remove the read-only property from my steam deck a few times.

Fwiw, Bazzite handles its 'immutability' vastly different.

Since you seem to know a lot about it let me ask you a couple of things:

😅. I'll try my best 😜.

Bazzite is immutable, right? I’m sure I saw that somewhere and Fedora Atomic is also immutable IIRC

It is correct that the contents of / is immutable at runtime aside from /var and /etc. However, note that a lot of folders like /home and /opt are actually found in /var in response. This is later 'fixed' with symlinks and whatnot. In effect, only the contents of /usr (aside from /usr/share) is off-limits (or 'actual'^[1]^ immutable).

How does the config changes not get overwritten?

I believe my previous paragraph already answers this. But, to be even more elaborate, Fedora Atomic makes use of libostree (read: git for your OS). With this, only the pristine images are 'swapped' in-between updates (or rebases^[2]^). Your changes to the system are found in /var, /etc and in so-called 'layers' only and are not swapped out. Some of these changes are kept track of^[3]^, but most of them reside in /var and will not be touched by libostree.

The whole point of an immutable distro is to prevent changes to files to ensure things keep working

Kinda. The important part is that changes are prevented for the sake of a functioning system. But the entire system doesn't have to be locked down in order to achieve this. This does mean that it's actually not that hard to break your system. Just rm -rf /etc and your system will probably fail to boot into the very next deployment. But, as Fedora Atomic keeps at least two deployments, you will still be able to access the previous deployment in which you tried to delete /etc. So you're protected from accidental mishaps as long as you've got at least one working deployment. Thankfully, you can even pin working deployments with the ostree admin pin command. And..., just like that, the distro has basically become dummy-proof. I'm sure it's still possible to break the system, but you'd actually have to try 😉.

So, in short, Fedora Atomic definitely intends to be a more robust system and succeeds. But, it does so while giving the user agency (and some responsibility).

How are packages installed?

I think everything of importance is mentioned in the docs. What is it exactly you want to know?

The docs you sent recommend flatpak, which while very good in theory still has a small fleet of apps available.

But that's just the first of seven "package formats" listed in the docs 😜. The other six will assure that your remaining needs are fulfilled.

Also they suggest using distrobox among other things, that’s definitely not beginner friendly, although an interesting concept for an advanced user to have your main machine be an immutable host to any system you want.

This is obviously anecdotal, but Fedora Silverblue was the first distro that I used. I was a complete Linux newb. My coding background was also just a Python-course on Uni. But, somehow, in the very newbie-hostile environment back then (read: April 2022), I managed with Toolbx. So..., yeah..., I can't relate. Sorry*. You might be absolutely correct. But, as I said, I don't recognize this from my own experience. I wish I had a video-tutorial back then, though. Honestly, with the amount of hand-holding Bazzite and its docs provide, I believe a newbie should be absolutely fine.

1. It is even possible to overwrite this. Both in containerfile (requires creating own image) and on device (very hacky, not recommended).

2. Rebasing is the process by which a different image is selected to boot and run your system from. For example, with this, one can switch from Silverblue (GNOME) to Kinoite (KDE) without reinstallation. This can even be used to switch from a Fedora image to a Aurora/Bazzite/Bluefin/secureblue image.

3. These include the software you've installed through rpm-ostree (or soon dnf). We call these layered packages, based on the analogy that the packages aren't part of the image but are magically tacked on without you noticing anything finicky. It's quite magical. Besides that, any and all changes made to /etc are also kept track of. The former you can see by invoking rpm-ostree status, the latter by invoking ostree admin config-diff.