N.E.P.T.R

Plain and simple, with a supply chain attack.

Mint is directly based on Ubuntu. Mint also has LMDE (Linux Mint Debian Edition).

Go with Bazzite. Stable or LTS distros are more insecure than rolling release, and Debian has a history of leaving vulnerable packages not updated (eg. Chromium).

Debian/Ubuntu use AppArmor for very minimal mandatory access control policies. Fedora (which Bazzite is based on) uses SELinux, which is better.

Or if they really want specifically Debian for gaming, use PikaOS instead because it is gaming optimized Debian. CachyOS or Bazzite is stilk a better choice IMO though.

Remote code execution is a concern. Your server and your network as a whole (including other VLANs) are susceptible to attack if Jellyfin is compromised. If Jellyfin is running on the host, it would be trivial to hack your server (and anything else running/connected to it). If Jellyfin is in a Docker/Podman containers, it doesnt prevent attacks against the host (sandbox escape, kernel privilege escalation, etc), or against your network over some ports. Even if the server is on it’s own VLAN, a vulnerability or weakness in your router could still lead to a compromise, meaning that any devices that is in any way connected to your router (including personal devices) could be attacked.

There is a lot of depth to this topic of course. And at some point you just calculate your risks and weigh your options. There is no such thing as perfect security of course.

It doesn’t use systemd, nor do they seem to have plans to add age attestation.

What is this program?

Can you elaborate? Seems interesting.

China was doing that kinda thing in Hong Kong not that long ago. Killing protestors, disappearing people, attacking journalists and doctors. They just aren’t right now. They are srill that bad.

You you do choose to release it, do it on codeberg because GitHub is Microsoft owned and has an incentive to remove it.

What does it mean to “make Linux secure”? What does secure mean to you (genuine question). I see people say they can make Linux secure but from what kinds of attacks. I think madaidan’s blog explains why you can’t as an individual fix an issue with the entire ecosystem, or fix the kernel of its inherent security flaws https://madaidans-insecurities.github.io/linux.html

I think “good security” in my personal opinion means that even if you try to run a malicious app, it either crashes out right or can’t do anything because it doesn’t have the permission to.

One thing that I think is very misunderstood is that messy or extremely large/dense code can be very hard to understand, even if you have the source code. Like systemd, it is several million lines of code and is very tangled together. Is it that much better than a blackbox if no one can audit the whole thing (unless you are a massive team)? I do think it is better to have source code and documentation, but vulnerabilities arise from unintended interactions in the code. The more code there is, the higher the chance of this happening.

100% /j

Nah, by that time I will just leave this community.

This is not a nottheonion sort of post. “Wow the racist is racist”. Look at the pinned post. This is not a politics community. It isn’t being in forced for some reason but far too many post are just “Trump did something bigoted or fascist? surprised pikachu”

deleted by creator

It really isn’t that different than regular Fedora Atomic. It offers easy toggles for most security features and some convenient utilities to make things easier.

You can just layer persistent malware (like a .rpm from the internet) using rpm-ostree, or rebase to a malicious image, because rpm-ostree doesnt require a password. Atomic doesnt mean basically anything other than you switch out images, it isnt a security feature. Or have persistent malware by creating a systemd user service that runs on login, or a system service which does the same, and does something malicious (exfiltrate data or keylog [yes that is possible on Wayland with LD_PRELOAD trick]). Or modify the use’rs ~/.bashrc and change the path to include something like /tmp or ~/.local/bin and pit a fake sudo binary which takes president over the real sudo and does something (like steal your user password). Or LD_PRELOAD a malicious binary to everything either by adding a line to the .bashrc, or get root and create /etc/ld.so.preload

The list goes on. It isn’t more secure than regular Fedora. It isn’t a (significant) security feature. It doesn’t protect against persistent malware which resides in the user home, etc, or goes unnoticed as a layered package. rpm-ostree can be used to install anything without needing a password. It isn’t secure.

They aren’t DIMMs so basically no resale value. Only usable for data center servers.

I was specifically responding to at the end where you say it is “super secure” at the end of your comment. It is not a security focused distro. It isnt even (only) a privacy distro. It is an anonymity distro. Fedora is private, but it doesnt store everything in RAM or route everything through Tor, so it isn’t amnesic or anonymity focused.

When compared to Whonix (which is Debian based like Tails) or Secureblue (Fedora Atomic based), Tails doesnt do nearly anything to harden its base other than to strictly proxy the network through Tor, run in RAM, and some default apps.

Fedora Atomic is not more secure than traditional Fedora. That is a misconception.

Qubes, Kicksecure/Whonix, and Secureblue are basically the only major security focused Linux distros.

Tails is focused on anonymity, not simply privacy (same with Whonix). Tails is not really security hardened.