1. Does Silverblue being immutable has an effect on security, or is it more about stability and reliability?

  2. Is it possible to have Nvidia drivers with Secure Boot on Silverblue, and how?

Thanks a lot!

  • Guenther_Amanita@feddit.de
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    9 months ago

    I read about universal-blue but I am not confident about using it, as it is not official and not made by the Fedora developers, but I am also not sure if that matters much.

    That isn’t an issue at all. You can understand uBlue only as a framework, not distro.
    It’s just a “factory” to create custom downstream images automatically.
    It’s even mentioned (but not endorsed) by the Fedora team officially.

    It’s fully open source and you can view/ modify the changes easily yourself.
    One of the main plus points is that the official Fedora Devs aren’t allowed to ship certain things, like codecs, due to licensing. uBlue isn’t official and thus is allowed to do that.

    uBlue isn’t some obscure fork that gets forgotten after a few months. It builds itself. For example, I know shit about anything and can’t even code. BUT, I’ve made my own uBlue spin, so I’m a distro maintainer so to say, but I never have to do anything.

    Just use that instead, there aren’t any disadvantages (besides some nice to have optional apps, like calculator app, missing). That doesn’t mean vanilla Silverblue isn’t usable by any means of course.

    The security from reproducibility does make sense to me, although what I had in mind was more about the malicious actors not being able to modify the system part.

    You, and malicious actors, can still modify the system a bit and it isn’t bullet proof. No software is.
    You can still execute some scripts/ commands (e.g. rpm-ostree install teamviewer && reboot), give them sudo, and let someone steal your banking data.

    It’s just harder and there are more stepping stones for hackers and co. to archive what they want.
    For example, every deep change in the OS requires a reboot. You can chronologically list what has been changed the last times (just like on git) and revert those changes. And needing to reboot when you installed a free game somewhere is a bit sus.

    You just can’t modify the live system.
    But yeah, it still should be somewhat more secure. As long as you don’t run random shit from the internet (e.g. scripts) without looking first or practice other insecure things, you don’t have to worry much.

    Thanks a lot for the detailed reply! Lemmy seems to be a lot less judgmental and a lot more helpful than Reddit!

    Glad to hear! Did Reddit really go downhill so fast? Oof

    • subsonic_bubbleOP
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      That clears up my concerns and questions about both Silverblue and uBlue. Though it sounded convenient for my use case, I avoided uBlue as I thought it was a random fork that might not be reliable in the long term. I will be testing it to see if it works for me or if I can adapt to it. Thanks a lot!

      • ebits21@lemmy.ca
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        I use uBlue and have never had an issue.

        The great thing is that you can just rebase back to stock Silverblue at any time if you want to go back.

      • Guenther_Amanita@feddit.de
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        As I said, you can’t view the uBlue images as forks per se.
        It’s more the result of a building script saying “Use the original Silverblue image, add this package, remove this package, rebuild” every day.
        So the uBlue images aren’t much older (less then a few hours normally, less then a day on major releases) then the upstream original versions.