I occasionally see love for niche small distros, instead of the major ones…
And it just seems to me like there’s more hurdles than help when it comes to adopting an OS whose users number in the hundreds or dozens. I can understand trying one for fun in a VM, but I prefer sticking to the bigger distros for my daily drivers since the they’ll support more software and not be reliant on upstream sources, and any bugs or other issues are more likely to be documented abd have workarounds/fixes.
So: What distro do you daily drive and why? What drove you to choose it?
I really like immutable distros, and am currently using NixOS. I feel like despite still being relatively obscure, NixOS is a bit of an outlier since it has more packages than any other distro and is (so far) the only distro I’ve used that has never broken. There is a steep learning curve, and I certainly wouldn’t recommend it for non programmers, but it is something truly different than all mainstream Linux distros while being extremely reliable.
Repology artificially reduces the number of packages instead of reporting the actual number. Which I find highly dubious because most packages have a purpose. In particular for repositories like the AUR artificially eliminating packages goes against everything it stands for. Yes it’s supposed to have alternative versions of something, that’s the whole point.
If there wasn’t for this the ranking would be very different. Debian for example maintains over 200k packages in unstable.
Just saying, I’ve never had a virus with Temple OS.
Because I’m a software luddite that believe we peaked in design at BSD/Plan9, and most of the “innovations” of enshittified corporate mainstream distros (redhat userland, atomic/immutable environments, “universal” (unless you’re not on linux) package management, containerization of anything and everything) don’t impress me, and more often than not turn me away. I’m not saying software can’t improve, but when it comes to mainstream linux (especially redhat), innovation is always 0 steps forward 40 convoluted leaps back with bonus windows compatibility.
reliant on upstream sources
Not relevant to independent distributions, which I’d actually consider more of a problem with popular distros very often being forks (most often of debian).
I use guix because, while it has a small community, the packaging language is one of the easiest I’ve ever used.
Every distro I’ve tried I’ve always run into having to wait on packages or support from someone else. The package transformation scheme like what nixos has is great but Nixlang sucks ass. Being able to do all that in lisp is much preferred.
Plus I like shepherd much more than any of the other process 0’s
As a nix user, guix looks legit nice but it took me until 2 days ago to actually find community projects made for guix(https://whereis.みんな/) . Sometimes I just wish they used the same store and daemon as nix so that nix packages can work as guix dependencies and vice versa.
(Also major thing stopping me from using guix is I don’t get service types at all, let alone how you’d define your own service :( )
You can use nix alongside guix, it’ll just double-up the dependencies on disk:
services (append (list (service nix-service-type))
%base-services)))
Services are, in guix terms, any configuration change to a computer, so creating your own service 99% of the time is just extending etc-service-type and creating a variable interface to fill in the config file text yourself
Creating a service as in a daemon of some kind uses shepherd and involves extending shepherd-service-type or home-shepherd-service-type with your service description, depending on whether the service runs in root or user space.
Shepherd service configurations aren’t actually part of the guix spec(https://www.gnu.org/software/shepherd/manual/shepherd.html#Defining-Services), but still use Guile, so you can interoperate them super easily.
It’s important in guix to understand lisp pretty thoroughly, and knowing how to program lisp is still a very useful skill to have so I’d recommend learning it even if you never touch guix.
I daily drive secureblue; or, to be more precise, its bluefin-main-userns-hardened image.
“Why?”, you ask. Because security is my number one priority.
I dismiss other often mentioned hardened systems for the following reasons:
- Qubes OS; my laptop doesn’t satisfy its hardware requirements. Otherwise, this would have been my daily driver.
- Kicksecure; primary reason would be how it’s dependent on backports for security updates.
- Tails; while excellent for protection against forensics, its security model is far from impressive otherwise. It’s not really meant as a daily driver for general use anyways.
- Spectrum OS; heavily inspired by Qubes OS and NixOS, which is a big W. Unfortunately, it’s not ready yet.
I would be really interested in a comparison of Kicksecure and secureblue. I’m interested in running one of them myself
Please allow me to link to an earlier comment of mine that goes over this in more length. You may also find it copied-and-pasted down below:
First of all, apologies for delaying this answer.
Disclaimer:
- I’m not an expert. While I try to verify information and only accept it accordingly, I’m still human. Thus, some falsehoods may have slipped through, my memory may have failed me, and/or what’s found below could be based on outdated data.
- Additionally, I should note that I’m a huge nerd when it comes to ‘immutable’ distros. As a result, I’m very much biased towards secureblue, even if Kicksecure were to address all of their ‘issues’.
- Furthermore, for the sake of brevity, I’ve chosen to stick closely to the OOTB experience. At times, I may have diverged with Qubes OS, but Qubes OS is so far ahead of the others that it’s in a league of its own.
- Finally, it’s important to mention that -ultimately- these three systems are Linux’ finest when it comes to security. In a sense, they’re all winners, each with its use cases based on hardware specifications, threat models, and priorities. However, if forced to rank them, I would order them as:
Qubes OS >> secureblue >~ Kicksecure
Context: Answering this question puts me in a genuinely conflicted position 😅. I have immense respect for the Kicksecure project, its maintainers and/or developers. Their contributions have been invaluable, inspiring many others to pursue similar goals. Unsurprisingly, some of their work is also found in secureblue. So, to me, it feels unappreciative and/or ungrateful to criticize them beyond what I’ve already done. However, I will honor your request for the sake of providing a comprehensive and balanced perspective on the project’s current state and potential areas for improvement.
Considerations: It’s important to approach this critique with nuance. Kicksecure has been around for over a decade, and their initial decisions likely made the most sense when they started. However, the Linux ecosystem has changed dramatically over the last few years, causing some of their choices to age less gracefully. Unfortunately, like most similar projects, there’s insufficient manpower to retroactively redo some of their earlier work. Consequently, many current decisions might be made for pragmatic rather than idealistic reasons. Note that the criticisms raised below lean more towards the idealistic side. If resources allowed, I wouldn’t be surprised if the team would love to address these issues. Finally, it’s worth noting that the project has sound justifications for their decisions. It’s simply not all black and white.
With that out of the way, here’s my additional criticism along with comparisons to Qubes OS and secureblue:
- Late adoption of beneficial security technologies:
Being tied to Debian, while sensible in 2012, now presents a major handicap. Kicksecure is often late to adopt new technologies beneficial for security, such as PipeWire and Wayland. While well-tested products are preferred for security-sensitive systems, PulseAudio and X11 have significant exploits that are absent from PipeWire and Wayland by design. In this case, preferring the known threat over the unproven one is questionable.
- Qubes OS: Its superior security model makes direct comparisons difficult. However, FWIW, Qubes OS defaults for its VMs to Debian and Fedora. The latter of which is known to push new technologies and adopt them first.
- secureblue: Based on Fedora Atomic, therefore it also receives these new technologies first.
- Lack of progress towards a stateless[1] system:
Stateless systems improve security by reducing the attack surface and making the system more predictable and easier to verify. They minimize persistent changes, impeding malware’s ability to maintain a foothold and simplifying system recovery after potential compromises. While this is still relatively unexplored territory, NixOS’s impermanence module is a prominent example.
- Qubes OS: There’s a community-driven step-by-step guide for achieving this.
- secureblue: Based on Fedora Atomic, which has prioritized combating state since its inception[2]. Its immutable design inherently constrains state compared to traditional distros, with ongoing development promising further improvements.
- Deprecation of hardened_malloc:
This security feature, found in GrapheneOS, was long championed by Kicksecure for Linux on desktop. However, they’ve recently chosen to deprecate it.
- Qubes OS: Supports VMs with hardened_malloc enabled OOTB, for which Kicksecure used to be a great candidate.
- secureblue: Continues to support hardened_malloc and has innovatively extended its use to flatpaks.
- This paper provides a comprehensive (albeit slightly outdated) exposition on the matter. Note that it covers more than just this topic, so focus on the relevant parts.
- Colin Walters, a key figure behind Fedora CoreOS and Fedora Atomic, has written an excellent blog post discussing ‘state’.
I have definitely read this answer before. I think we’ve probably already spoken on the matter. Indeed, Lemmy has a serious dearth of users interested and using secure distros over the averages. Thanks for your efforts; I do not know how to follow users on Lemmy but if I did I’d follow you. Do you have a blog/any other forum you’re more active on?
Personally, I find it difficult to justify the time to learn Secureblue (especially the immutable part) or NixOS on Qubes because custom DispVMs with curated salt states work so well already. I’m interested in use-cases that will improve my security but I haven’t found any dialogue on this yet. If you do have opinions on this and know where I can look, I would greatly appreciate it!
