So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.
My priorities are:
- Using Linux.
- Using Firefox.
- Security, within reason.
- Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).
My options are:
- Fedora Kinoite
- Fedora KDE with some hardening
- Secureblue
My needs are:
- Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
- Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
- Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
- Sound: Bluetooth headphones, Sound, Printing (Optional)
I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.
On Firefox:
- I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
- Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
- In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
- Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
- I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).
Security goals:
- I want to make sure the software I install don’t have access to anything they don’t need to.
- I want to make sure that any website I visit won’t be able to access my file system.
- I want to make sure that my browser extensions won’t be able to access my file system.
- I want to use a distro that’s somewhat resilient against supply chain attacks.
- Proximity to upstream for timely security patches.
You must log in or # to comment.
I’ve had a bad experience with Flatpak-first distros. Partly because i’ve run them from USB* and have slow internet here, running on a 2018er laptop, partly the duplicated/more complex tooling (especially Silverblue). And don’t even start trying to remove preinstalled apps or roll your own image. In short, customization and performance are severely limited.
* Especially Bottles gets outright unusable as a Flatpak running from a USB SSD.
The sandboxed nature of them can be a hindrance when doing software development.
Yeah I find a base install of Arch+KDE works well for me, for Dev, Gaming and General Web. I tried Bazzite on my laptop, but found similar things as others have pointed out regarding flatpack-first distros 😮💨
I’ve never used a Flatpak-first distro, but customization and performance are not high on my priorities.
There’s also Windows then. Although, no; that has a hostile stance to it’s users.
You can try secureblue and if it does not fit your use cases try Fedora and tinker a bit with bubblejail and other hardening yourself, with that you will learn a lot which is even more valuable than just using a secure os. As far as I know Fedora uses SELinux already which is pretty good.
If you depend on a secureos to protect your life/assets against threat actors like states or any other organisation with massive amount of people and or time/money then the answere will be very complicated and I would suggest talking with a professional consultant because the correct answere can very on many little factors. SecureBlue or QubesOS are fine, no PC and only GrapheneOS even better.
If you depend on a secureos to protect your identity against threat actors like states… …the answere will be completly different since privacy and security can be complimentary goals. TailsOS is suitable in this case.
Basically what I’ve learnt with this thread is the same thing anyone learns when asking which distro to pick, “it doesn’t matter, just pick one”.
It does not matter in the sense of distro hopping because most people are hopping without a goal, or if they have a goal the goal is possible with the current solution too.
But in this case its different. You have a goal and security has its requirements. If you want to protect against supply chain attacks, using Arch Linux would be a risk for example.
It always depends. Your goal is security and you found out about secureblue. Alone with that you are far ahead of elses people who only hop distros for no reason.
Yeah, I mean - Try SB and if it doesn’t end up meeting your needs, backup /home and reinstall 😊
secureblue is pretty good, fully recommend. immutables take a lot of the effort out of things
Secureblue isn’t immutable though.
It’s not atomic or cloud native either if you want to be strict with definitions.
yeah i know all the semantics around this. it is nice though.
I’ve been on secureblue for months. It has it’s quirks but I don’t see anything in your post that would be a problem. You can turn off hardened-malloc on a case by case basis if needed, and this is especially easy for Flatpaks.
I recommend Secureblue.
To install Firefox on Secureblue, run
rpm-ostree install firefoxTo install Mullvad VPN, runujust install-vpn, select Mullvad, wait for it to complete, and runrpm-ostree install mullvad-browserFor browsers, you obviously are going to install Mullvad and Firefox, but no need to install a Blink-based browser because it comes with Trivalent (significantly security hardened Chromium). Since Trivalent only supports MV3 you will need uBl Lite and NoScript supports MV3.
I recommend sandboxing your browsers (except Trivalent) using Bubblejail. For Mullvad/Firefox, create a Bubblejail instance using the config app, create a profile, give it access to Wayland, PulseAudio (sound), Pipewire (screenshare), and use slirp4netns, then run
bubblejail generate-desktop-entry INSTANCE_NAME --desktop-entry /usr/share/applications/INSTANCE_NAME.desktop. I recommend adding access to ~/Downloads for the browsers.Consult the FAQ for more tips/tricks and security toggles. Also use the
ujustcommand line utility to configure the system.I’m gonna have to try secureblue and only switch when I find something that doesn’t work. I’m not entirely sure that Firefox works at present.
Trivalent doesn’t support extensions https://secureblue.dev/faq#trivalent-extensions but I only need those extensions on Firefox. My backup browser is mostly for sites that involve online purchases as it’s too much of a hassle with noscript.
Other than that thank you for your advice.
To use Firefox, you need to use
ujust with-standard-malloc firefox(or something like that). It also needs user namespaces (same with Mullvad VPN/Browser), runujust set-unconfined-userns onFollow these steps to make Firefox run with standard malloc:
For Firefox with no sandboxing …
cp /usr/share/applications/firefox.desktop ~/.local/share/applications/firefox.desktop- Edit the newly created file so any line that starts with
Exec=firefoxtoExec=ujust with-standard-malloc firefox
For Firefox with Bubblejail, assuming you have already created a profile named Firefox and generated the desktop entry. Edit the file
~/.local/share/bubblejail/instances/Firefox/services.tomland add the following snippet:[debug] raw_bwrap_args = [ "--ro-bind", "/dev/null", "/etc/ld.so.preload", ]I was under the impression that a recent Firefox update means it supports hardened_malloc. I haven’t been able to find a clear answer on this though since it’s kind of a fringe issue. Am I to take this to mean it doesn’t? I’m not too keen on running Firefox using the jemalloc.
If I’m using Secureblue I presume there is automatic configuration of the bubblejail if I install it as a Flatpak.
Dont install browsers as Flatpaks, very bad for security. Flatpaks use Bubblewrap, but that isnt the reason they degrade browser security. Bubblejail is an app that makes sandboxing with Bubblewrap easy and didn’t integer with the browser’s own sandbox (unlike Flatpak). I don’t know if Firefox supports hardened_malloc now.
I did some research and I see what you mean. Apparently using the Flatpak of a browser disables the sandboxing between browser tabs. It doesn’t necessarily make my device less secure but it would make my browser less secure. Firefox officially supports it’s Flatpak so it would be good if I could find some sources more reliable than various forum posts but all-well.
I’m iffy on having to manually configure my security but if I’m using Firefox on a distro that does not support it then there’s not much I can do to avoid that.
Thanks for your tips.
The browser can’t create unprivileged namespaces because Flatpak blocks access to namespace creation. This DOES interfere with an important method of sandboxing used by browsers on Linux. It makes site isolation weaker, which could allow an attacker from a malicious site to steal information from any open tab, or possibly escape the sandbox. Browser sandboxes are multilayered for a reason, one less layer makes exploitation exponential easier. The Firefox Flatpak is official, but that doesn’t mean it is safe. Flatpak sandboxing is substantially less strong than a browser’s isolation strategy This because Flatpak is a general purpose sandbox mostly meant for making distribution of software easy by providing an identical environment across all Linux distros, not for rigid security. Browser’s provide a more fine grained sandbox that is designed around the threat model that the website is compromised/malicious and is attempting to hack you, since websites are effectively just apps. Don’t use Flatpak’d browsers at all, or the very least not as your default.
You don’t have to sandbox he browser with Bubblejail if you don’t want. I was only suggesting it and providing instructions in case you wanted an extra layer of isolation.
I do want that extra security. But I’m disappointed it can’t be automatic in Secureblue (even though I’d be using it as explicitly not intended).
Fedora is fine for the specifics you mentioned. If for some reason you feel the need to go immutable later, SB is alright-ish.
I heard that the sandbox on Fedora (and all major distros) is relatively weak, and pulseaudio is a known escape vector for webpage malware. So I’m not 100% Fedora is reasonably secure.
SB isn’t immutable BTW. I wish it was because I like the idea of immutable distros (for people who don’t use Arch) but it isn’t.
Fedora was one of the first to get rid of pulseaudio and replace it with Pipewire, so that shouldn’t be an issue.
Absolutely not true 🤣🤣
Where’d you hear this?
Also, Silver blue is immutable. You are just full of bad info, bud.
I think he’s talking about secure blue rather than silver blue (which is immutable) - https://secureblue.dev/
Correct. I assumed they were talking about Secureblue.
What do you mean by sandbox here? Fedora has selinux by default which adds an extra layer of security. If you really want a “sandbox” qubes is probably the way to go. It runs everything in virtual machines, so if there was a browser escape they would still have to eacape the vm. It would be an very sophisticated attack and nothing you have to worry about.
And pulseaudio is fine lol what you’re describing would certainly be assigned a cve and the only cves for pulseaudio are all denial of service except for some back in 2009.
By Sandbox I mean that the apps I install should only have access to the files in a dedicated directory. Mullvad seems to do this on Kubuntu, there’s a .mullvad-browser folder in my home directory and whenever I try to upload or download an image using it I find myself unable to navigate away and instead need to use my file manager to do so.
I’m not really interested in QubesOS. As above my first priority is running Linux and while the virtualization in QubesOS interests me it’s not an operating system I want to use.
I heard the pulseaudio thing from this source https://profincognito.me/blog/security/browser-engine-security-comparison/ although it was uncited so it may be BS.
I am a bit ignorant about fedora security, but doesn’t pretty much everyone run Pipewire now and not pulseaudio?
I wouldn’t know. I’m coming here with worries, not facts.
It sounds like you’d be happier with qubesOS. It’s very privacy and security focused
qubesOS isn’t quite Linux and I’m not quite a fan of it’s structure. If I were just running my browser in a VM though that would work.
isn’t quite Linux
What do you mean?
It’s Linux VM’s running inside a Xen Hypervisor. I want security but I also want to run Linux proper. I’m not exactly giving a good explanation here but basically I don’t really want to use Qubes.
Xen itself runs on the Linux kernel. In qubes, the root dom0 runs in a Fedora environment, so it is “Linux proper”, but I think I understand what you’re getting at.
Could you tell us your gripes with kubuntu? I’m curious
In terms of gripes theres:
- It’s prompting me to upgrade to the unstable Ubuntu 25.10.
- It failed to upgrade me when I accidentally pressed the button.
- Widespread consensus that Ubuntu doesn’t take security as seriously as Fedora/OpenSUSE.
- That whole Xubuntu malware situation.
I’m pretty sure there was another big issue I had. But it’s not coming to mind immediately. I’ve heard a lot of complaints about Ubuntu and I think I ran into something like that but it wasn’t that important to me personally so it slipped my mind.
Thanks for the info! Best of luck with your search
I was a diehard Fedora fan until recently they started allowing AI generated code for their distro. That was my wakeup call to finally start getting my toes wet with Arch via Cachyos.
I ain’t sweaty enough to Arch. I run CachyOS on my desktop but I want my laptop to be more secure in which case Arch would be my only option. Overall Fedora (and it’s derivatives) are the only distros that meet my expectations for a distro.
