1. Does Silverblue being immutable has an effect on security, or is it more about stability and reliability?

  2. Is it possible to have Nvidia drivers with Secure Boot on Silverblue, and how?

Thanks a lot!

  • Guenther_Amanita@feddit.de
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    9 months ago
    1. Does Silverblue being immutable has an effect on security, or is it more about stability and reliability?

    It should also be more secure. The fact that your install is the same as thousands of others, including the devs’, and that updates get patched as a whole, makes it more secure due to the reproducibility you mentioned. If the devs notice a flaw, it will also be on every other install and fixed immediately.
    In theory, malicious actors also can’t modify the (live) system, but I can’t make a statement about that.

    You can also take a look at SecureBlue if security is very important to you.

    Updates get installed automatically and staged, so you can just boot into a fresh and updated image every day when shutting off the PC before bed without even noticing :)


    1. Is it possible to have Nvidia drivers with Secure Boot on Silverblue, and how?

    Go to universal-blue.org and select your wanted image there. They have a Nvidia-image for every variant, where the drivers are already baked into the base image.

    They support Secure Boot, and if the driver breaks, which it shouldn’t, because then thousands others would do that too, you can just select yesterday’s image and don’t have to worry about fixing something. Your OS will always boot and be usable!


    Take a look at my post for further information: https://feddit.de/post/8234416

    • subsonic_bubbleOP
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      I read about universal-blue but I am not confident about using it, as it is not official and not made by the Fedora developers, but I am also not sure if that matters much.

      The security from reproducibility does make sense to me, although what I had in mind was more about the malicious actors not being able to modify the system part.

      Thanks a lot for the detailed reply! Lemmy seems to be a lot less judgmental and a lot more helpful than Reddit!

      • Guenther_Amanita@feddit.de
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        9 months ago

        I read about universal-blue but I am not confident about using it, as it is not official and not made by the Fedora developers, but I am also not sure if that matters much.

        That isn’t an issue at all. You can understand uBlue only as a framework, not distro.
        It’s just a “factory” to create custom downstream images automatically.
        It’s even mentioned (but not endorsed) by the Fedora team officially.

        It’s fully open source and you can view/ modify the changes easily yourself.
        One of the main plus points is that the official Fedora Devs aren’t allowed to ship certain things, like codecs, due to licensing. uBlue isn’t official and thus is allowed to do that.

        uBlue isn’t some obscure fork that gets forgotten after a few months. It builds itself. For example, I know shit about anything and can’t even code. BUT, I’ve made my own uBlue spin, so I’m a distro maintainer so to say, but I never have to do anything.

        Just use that instead, there aren’t any disadvantages (besides some nice to have optional apps, like calculator app, missing). That doesn’t mean vanilla Silverblue isn’t usable by any means of course.

        The security from reproducibility does make sense to me, although what I had in mind was more about the malicious actors not being able to modify the system part.

        You, and malicious actors, can still modify the system a bit and it isn’t bullet proof. No software is.
        You can still execute some scripts/ commands (e.g. rpm-ostree install teamviewer && reboot), give them sudo, and let someone steal your banking data.

        It’s just harder and there are more stepping stones for hackers and co. to archive what they want.
        For example, every deep change in the OS requires a reboot. You can chronologically list what has been changed the last times (just like on git) and revert those changes. And needing to reboot when you installed a free game somewhere is a bit sus.

        You just can’t modify the live system.
        But yeah, it still should be somewhat more secure. As long as you don’t run random shit from the internet (e.g. scripts) without looking first or practice other insecure things, you don’t have to worry much.

        Thanks a lot for the detailed reply! Lemmy seems to be a lot less judgmental and a lot more helpful than Reddit!

        Glad to hear! Did Reddit really go downhill so fast? Oof

        • subsonic_bubbleOP
          link
          fedilink
          arrow-up
          3
          ·
          9 months ago

          That clears up my concerns and questions about both Silverblue and uBlue. Though it sounded convenient for my use case, I avoided uBlue as I thought it was a random fork that might not be reliable in the long term. I will be testing it to see if it works for me or if I can adapt to it. Thanks a lot!

          • ebits21@lemmy.ca
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            I use uBlue and have never had an issue.

            The great thing is that you can just rebase back to stock Silverblue at any time if you want to go back.

          • Guenther_Amanita@feddit.de
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            As I said, you can’t view the uBlue images as forks per se.
            It’s more the result of a building script saying “Use the original Silverblue image, add this package, remove this package, rebuild” every day.
            So the uBlue images aren’t much older (less then a few hours normally, less then a day on major releases) then the upstream original versions.