Personally I think QubeOS is probably the best option in terms of Privacy and Security at this stage. If your hardware can handle it (16GB RAM would be best).
I would seriously consider QubeOS over PureOS if privacy and security are your concerns.
It works pretty well and I've been using it for a while now on not so recent hardware without much issues.
Their compartmentalization and seamless virtualization is just amazing and I don't think any other distro offers this with so much convenience.
Qubes is fantastic but as a PSA the hypervisor's kernel doesn't support newer GPUs such as AMD rx5000 (AFAIK rx580 is the newest supported one). Learned this the hard way. Qubes 4.1 will bring the support, once it's complete https://github.com/QubesOS/qubes-issues/milestone/20
Any notes on the VM integration in general? Been looking forward to a "Windows subsystem for Linux" style thing where I can run Visual studio and games without actually having to deal with Windows as a primary OS =P
Proton - Valve's branch of Wine is probably your best option for running Windows games on Linux right now. That is of course unless you also want all the security that comes with Qubes. If you want to use a VM, VMware had a reasonably well working implementation of 3D acceleration when I last tried it 4 or 5 years ago.
I love qubes my only gripe is that they use the zen hypervisor instead of a minimal formally verified os such as sel4 which I think would go a long way in strengthening the isolation between “domains/containers/etc”.
Interestingly enough they only mention it being unreasonable for x86, it would be interesting to see SEL4 supported for ARM (of which SEL4 already has a verified kernel for).
The paper discusses more fundamental issues than just x86 architecture:
* Usermode drivers need to be formally verified to prevent malicious DMA. Adding IOMMU/SMMU to the microkernel will complicate the current proofs.
* All user processes that manage resources, like filesystem, network and memory management, must also be formally verified. These are currently unproven.
What is the response of QubeOS to the famous Theo de Radt critique[1] that virtualisation is basically adding another layer (hypervisor) of possible exploits just below the existing one (kernel)?
Rutkowska wrote various posts about it. She does not answer your question directly and precisely, but provides considerations that make clear why she considers Qubes' approach an improvement over the status quo.
Just compare the number of lines of code between the Linux kernel and Xen. You will see how much lower probability of a bug becomes if you use the latter.
A brick respects your privacy but it is not a very useful computation device.
I bought a laptop from them and after about 6 months of struggling with PureOS I installed Ubuntu and it has been smooth sailing. One software issue I had with the PureOs install was a hard freeze during the booting about 60% of the time.
I hope there is a newcomer to privacy crowd that is willing to air on the pragmatic side of things. Like somewhere between apple and purism.
System76 also sells laptops with a Linux OS, Coreboot BIOS, and a "disabled" Intel Management Engine. (There's no true way to disable it, but any dangerous parts are removed, rendering it useless)
System76 is not a newcomer, though - they've got 15 years of history. I've bought from them and found the experience to be superb.
The ME side is not so clear anymore. Pre-nehalem, it could be truly disabled. Up to skylake, it could be "cleaned". Up to cometlake, it could be "asked" to disable itself. From tigerlake onwards, it is quite essential since tigerlake removes S3 sleep, and ME is needed for efficient modern standby.
It is true that they are more pragmatic. But still no dice for me. Perhaps, I should be more careful what I wish for, haha.
Both System76 and Purism have a "We teach you to fix it" support attitude. So when you run into trouble you are going to have to expend effort. They both have their share of bugs.
All I want is something that gets out of my way and works. I don't need the latest specs. As long as they hit a reasonable base the more ethical the better. I do software development on Linux. I don't feel like that is a big ask to have a trouble free Linux laptop.
And I knew this when I was making my purchase. At the time Purism was advertising a "luxury" laptop experience coupled with the equivalent price tag. But I got it and 7 days later it wouldn't boot because of a rather nasty software bug (which I am not sure has been resolved [I think it is a rather nasty race condition since its happens indeterministically]) due to their specific configuration. They also lied about the battery life on the website (I get less then two hours and they adv. five hours). And the WiFi doesn't really work no matter what you do as the chassis severally attenuates the signal. Which for me, as a "digital nomad" in SA at the time really really hurt.
If I where to do my laptop purchase again ATM I would get a Dell. Something like this:
In my experience you get the best results by going for hardware
that's known to be compatible and use either Linux Mint(or maybe
MX Linux) if you don't want to bother to touch the system, or
something Arch-based if you want to be able to just install
anything and have it work. In the long term I chose the latter
and now after 2 years it's the longest time I've not reinstalled
Linux, and I've had fewer issues than with Windows 10 and
distros like Ubuntu. One or two times a year it's had problems
but nothing a few quick googles couldn't fix. For development
it's great because I get almost all the libraries and utilities
in the current version right from the package manager.
All that said when you want Free software you'll have to make sacrifices unfortunately.
It may depend on your hardware. If it wasn’t made to support Free software it likely doesn’t — particularly for firmware for WiFi cards or Nvidia graphics, which PureOS should not have packages for.
Would appreciate an explanation from whoever was downvoting you before.
There are no laptops in the market which support free firmware for WiFi, except those from Purism. So PureOS (without installing additional non-free software) will not work for you.
Yes, there are indeed RYF-certified laptops supporting free WiFi firmware, but they are now vulnerable to Spectre, Meltdown etc, and not fixable. So unfortunately this is not very secure to use them...
I recall running into issues with WiFi firmware from Purism. I installed the prop. driver and got some improvement. Although, I ended up upgrading the wifi chip altogether in the end.
No problem. I’d recommend trying it out live, you can get it at https://www.pureos.net/download/ and then follow the installation instructions (https://tracker.pureos.net/w/installation_guide/live_system_...) from there if it works well (make sure to copy your /home directory/partition first if you want to keep it), or not install (and maybe try purifying Ubuntu or Debian a bit with the `vrms` package’s assistance) if it doesn’t.
Being unable to connect to the Internet or any network due to a lack of WiFi support is a strong privacy and security protection mechanism indeed.
And the freedom is provided by removing your choice to use nonfree WiFi drivers. Leaving that decision to you with a warning of its implications (ala Debian) is not really freedom because you'll make the wrong choice.
Don't get me wrong, I'm a big fan of FOSS, but not of doublespeak.
> Leaving that decision to you with a warning of its implications (ala Debian) is not really freedom because you'll make the wrong choice.
This is context dependent.
Suppose I'm changing an existing laptop from Windows 10 to Debian for a user. Suppose I must install WiFi to convince the user the machine it as all useful. Suppose if I fail to get the machine to work, the user will eventually go out and get another Windows 10 machine.
In this case the right choice is to install from nonfree. It's a compromise, sure, but it's clearly less bad than the alternatives and leads to significantly more freedom than the user had before.
To not leave room in your philosophy for these cases-- and there are many-- is to create unnecessary rifts among allies. You're doing it right now by implying that Debian proponents aren't True Scotsman due to the existence of nonfree.
You can change out the internal WLAN card in a lot of laptops, or get a USB version with free drivers. It's a very realistic option. You just have to be more careful when picking your hardware, since many chip makers don't release free drivers.
I feel like I must be misreading something, because your second paragraph appears to me to be the doublespeak you claim to dislike.
The problem with "free software" fundamentalists is they care more about the freedom of the software than the freedom of the user. Part of free choice from a user perspective is the freedom to run proprietary blobs. Also when it comes to freedom to run or not run proprietary software there is no such thing as a wrong choice, just a personal choice. I would prefer you not force your freedom on me, so that I can be free to do as I please.
> The problem with "free software" fundamentalists is they care more about the freedom of the software than the freedom of the user. Part of free choice from a user perspective is the freedom to run proprietary blobs.
No one is removing the freedom to use blobs. You can use them on PureOS, too (and I did). The difference is you will not run into proprietary software by mistake (which is possible on Debian).
> Also when it comes to freedom to run or not run proprietary software there is no such thing as a wrong choice, just a personal choice.
Most users never heard about free software and do not make a choice, just use whatever is installed. This is exactly how you make a wrong choice: unknowingly.
This is nice and all and I am being 'that guy' nit picking but I hate the use of 'OS' when this is actually a Linux distribution. It is really confusing as in some cases an 'xxxOS' really is a new OS but more so these days it means 'xxx Linux distribution'.
Also given their links to fsf who insist on 'GNU/linux' it is amusing to see the name contain neither GNU nor Linux.
As a huge Linux fanboy (I contribute to the kernel minorly as a hobby) I can also see the positive side - using Linux is such a foregone conclusion that we don't even need to mention it any more :)
I’m a big fan of Linux, and I’ve been thinking and wanting to go full Linux for a while, but there just doesn’t seem to be a single laptop in existence that only runs free software. Every thread I read just turns into an infinite rabbit hole.
It's probably not as bad as it appears. I currently have a Lenovo ThinkPad running Ubuntu with no problems, and it is not the first laptop I've run Linux on. Honestly, if you are not using bleeding edge or obscure hardware, you are probably ok. The only time I've had hardware problems with Linux in the last 10 years was a video card (on desktop) that could not initially output audio over HDMI. After a few months, the driver was updated, and all was fine.
I’ve had very good results using Ubuntu in the cloud. And I have played around with the desktop version a bit.
What I was referring to in my comment was when I have researched to try to find a laptop that runs completely free software including all firmware etc, it gets very confusing. I’m not even sure if such a machine exists.
I wish there was a site similar to https://caniuse.com but for laptops that run Linux.
I would seriously consider QubeOS over PureOS if privacy and security are your concerns.
It works pretty well and I've been using it for a while now on not so recent hardware without much issues.
Their compartmentalization and seamless virtualization is just amazing and I don't think any other distro offers this with so much convenience.