I have been tossing around the idea of a little distro hopping. I’m an avid mint fan. It was my first jump from windows. I became quite familiar with mint but felt the want to branch out and went down the rabbit hole (oh my lanta). I like stability and cleanliness. Security by default. Least mental load possible long-term.
I’m currently testing out NIXos. Next will be VanillaOS, 3rd will be Fedora Silverblue. Anyone have good recommendations? Easy backups, stability, security first posture, least maintenance and memory load. I hate getting scattered in symlinks, scripts, and filesystem placing.
I’ve tried going full custom Linux mint. But app armour and Firejail constantly conflict or require manual updating and tweaking to keep up to date with app installs, or general life cycle updates.
The most intriguing aspect if NIXos was that basically the entire configurable system was confined to two files. Infinitely reproducable. I tend to swap laptops or hardware relatively often being on the go or getting good tech deals. Having your entire system in two files essentially is awesome.
What are some pros and cons of different distros? What do you daily drive as a power user? Give me your thoughts and recommendations! Thanks.
It depends on what you mean by “secure”. I’m going to assume that your threat model is “I want to minimize the damage caused by any generic malware”. If you would like tips on some other threat model, I would be happy to assist you.
Generally, I would recommend fedora secureblue or silverblue. It works very well “out of the box”, doesn’t require much maintenance, and it has relatively good security defaults.
I wouldn’t call NIXos inherently “secure”, because it doesn’t have nearly as many security benefits compared to more security-focused distros. Immutability doesn’t really help much in this context because all it’s doing is making your root read-only. In most cases, an attacker getting access to your home directory is just as bad as them having root access. Security aside, if NIXos suits your other needs then I encourage you to keep using it.
Qubes is probably overkill. I would only recommend using it if your threat model depends on it. It offers very good sandboxing/compartmentalization, but it can be tricky to use and is resource-intensive. Personally, I don’t think it has the best “out of the box experience” and most of its benefits can be replicated (with much effort) on a distro like gentoo or arch.
Gentoo and Arch have the highest potential to become the “most secure” because they are the most customizable but they require a lot more maintenance since you essentially have to learn how to build your system from the ground up.
In the end, I don’t think the distro matters too much because as long as you can tweak the distro to fit your needs (or threat model), you will eventually end up with your own perfect mix of usability and security. You can start hardening your system by: configuring the firewall (I recommend ufw), proper sandboxing (I recommend using flatpaks or writing your own bubblewrap scripts), and maybe running untrusted processes in a virtual machine (I recommend qemu/virt-manager). For more advanced security, I would highly recommend looking into Mandatory Access Control (Fedora enables SELinux by default but you can tailor the reference policy to be VERY strict).
Once again, If you have anything more specific in mind in regards to security, I’ll be happy to elaborate :D