 DistroWatch Weekly |
| Tip Jar |
If you've enjoyed this week's issue of DistroWatch Weekly, please consider sending us a tip.
(Tips this week: 0, value: US$0.00) |
|
|
|
 bc1qxes3k2wq3uqzr074tkwwjmwfe63z70gwzfu4lx  lnurl1dp68gurn8ghj7ampd3kx2ar0veekzar0wd5xjtnrdakj7tnhv4kxctttdehhwm30d3h82unvwqhhxarpw3jkc7tzw4ex6cfexyfua2nr  86fA3qPTeQtNb2k1vLwEQaAp3XxkvvvXt69gSG5LGunXXikK9koPWZaRQgfFPBPWhMgXjPjccy9LA9xRFchPWQAnPvxh5Le paypal.me/distrowatchweekly • patreon.com/distrowatch |
|
| Extended Lifecycle Support by TuxCare |
|
|
| Reader Comments • Jump to last comment |
1 • Firewall (by Dave on 2026-03-02 02:25:08 GMT from Australia)
Sincere question - is a firewall necessary of no nerwork services (like ssh for example) are running?
2 • Firewall (by Zyber on 2026-03-02 02:57:34 GMT from United States)
I recently had connection issues and never realized how unsecure my PC was, that and I needed an attenuator which really does make a huge difference. Anyways because of the issues I decided to fine tune my Firewall. Also I have IPV6 off, doesn't even load a boot. And I have all my traffic go trough AdGuard and have five active block lists, plus individual blocks. I also use cloudflare and quad9 for DNS. Firewalls by themselves are great but I think more is needed than simply that, especially with the emergence of AI. No one assume that your computer is not at least being listened to, bots, people and AI's just waiting to see where you go. Looking for a way in. Yes, be paranoid. Be prepared not surprised.
Note: IP6V was suppose to be an upgrade to IPV4 but it appears many isps ignore upgrading it and just use it for an over flow lane during high network traffic times. Maybe it is just my isp, but it runs much smoother without it loading, though a few games broke but no big deal for me.
3 • AerynOS (by Walt on 2026-03-02 03:39:38 GMT from United States)
I have been running AerynOS on a Lenovo Ideapad3 since December using the Gnome DE. Even as an Alpha, I find it to be very stable and have had no issues. I can't wait for it to have a GUI installer to make it easier to install but using Gparted to create the partitions the way they want them is easy enough. Once this distro gets further along I will seriously consider using it on my main computer!
4 • Firewall (by Rob on 2026-03-02 03:45:08 GMT from Australia)
Also an external IPFire box.
5 • Aeryn OS (by Hank on 2026-03-02 09:54:03 GMT from Germany)
I stopped reading after
Plasma desktop required 1,450MB of RAM just to sign in
Do developers think efficiency is unimportant, the less my desktop loads my hardware the more power is left for tasks i want to do, and more important, less wattage is needed.
Right now with two Browsers open plus a notepad , writing this 1.14 G memory in use.
I sign in to find Ram usage hovers around 240 MB that is. ICEWM is efficient....
6 • Firewall (by borgio3 on 2026-03-02 10:08:12 GMT from Italy)
I've never had a firewall on my computer and never had any problems. So what's the point?
7 • Firewall (by DLCBurggraaff on 2026-03-02 11:04:11 GMT from Netherlands)
I have a trusted mini LAN. Running NAT behind a router is enough.
So no firewalls on my computers.
:)
8 • Aeryn OS (by Jobe314 on 2026-03-02 11:23:17 GMT from Australia)
1.45Gb ram on login....
But it's alpha you say, sure, but in what universe is this even remotely acceptable for KDE?
Whatever happened to lean Linux desktops? All of them are memory hogs nowadays. Given the RAM situation these days and for the forseeable future, using any desktop which requires more than 1Gb just on login is a little ridiculous.
Yes we have options to use minimal windows managers like Openbox, i3, IceWM and so on, but for most dealing with custom configs is too much of hassle for people which is why comfy desktops exist.
Devs need to cut the fat from these desktops and make them as memory efficient as possible.
Aeryn devs, sorry, but your distro is unacceptable for me
9 • Plasma (by Jesse on 2026-03-02 12:15:29 GMT from Canada)
@8: The heavy RAM usage here is not specific to AerynOS, it is the same across all distros that run Plasma 6 under a Wayland session. Plasma 6 is huge and Wayland adds about 400MB of memory consumption. Switching to X11 gets the memory usage under 1GB.
10 • firewall (by John on 2026-03-02 12:17:26 GMT from Canada)
@1
It depends :) I have one active because sometimes I use my laptop in "risky" areas like coffee shops, hotels, libraries. But at home all the time with a trusty router, I doubt it.
I use the firewall to restrict which IPs can attempt to login to my system via ssh. For example, for port 22 I use to block all IPs except for one ones associated with my office at work, prior to WFH.
This firewall use goes back to the old days, these days, maybe it is not really needed but I keep it going anyway.
11 • AerynOS (by No way on 2026-03-02 12:39:53 GMT from Italy)
> We are also told to create a boot partition (with the FAT32 filesystem)
_That's_ where I would have stopped reading...
12 • Wayland Ram usage (by kc1di on 2026-03-02 13:25:33 GMT from United States)
On my Mint install Cinnamon - with wayland uses 600 more Mb ram than on X11. I'll stick with x11 for now. As far as a fire wall goes ust GUFW here just in case.
13 • Local firewall have a usecase (by sedric on 2026-03-02 14:01:46 GMT from France)
> the firewall is not offering any additional protection
That's not true. A firewall does not only protect traffic to your computer but also *from* your computer.
The point is : if you download untrusted softwares or trusted softwares that has been compromised for a reason, you may want to have some suspect outbound traffic blocked to avoid either further contamination or data extraction.
14 • Firewall (by Jesse on 2026-03-02 14:05:00 GMT from Canada)
@13: "That's not true. A firewall does not only protect traffic to your computer but also *from* your computer."
While a firewall _can_ block outgoing traffic, no pre-installed firewalls block outgoing traffic by default. Which means if your computer is compromised, even if you are running a firewall, the malicious traffic still gets sent from your computer. You'd need to specifically block all outgoing traffic and permit just applications/destinations/ports you approve of to accomplish what you suggest. Virtually no one, outside of a corporate network, does this.
15 • Why firewall/Bloated how (by We all float down on 2026-03-02 14:06:51 GMT from Netherlands)
Denial of service remains possible with, while most are behind CGNAT, why bother. Maybe take a look when changing provider/APN.
Hard to tell what's really the working set of Aeryn/Plasma, or just cache (files read once at boot, etc). Might still run in mem=725M without swap.
16 • Firewall (by Pierre H on 2026-03-02 14:57:05 GMT from France)
it all depends on your network. Start wireshark and look at what you receive when there is no application active (mail and browser are always talking a lot)
17 • Gparted bug or a feature related to fat32 (by aurel on 2026-03-02 16:21:20 GMT from Moldova)
Jessie,
The bug you mentioned in gparted is a feature :)
It annoys me a lot.
Gparted can create fat partitions and uses `dostools` for that.
But if you wanna resize/shrink `fat` partitions, you need to have `mtools` installed.
AND gparted shows this scary `yellow` label, that it doesn't support `fat`, if you don't have `mtools`.
AND mtools is not needed by 95% of users, so I think this `feature` is not feature, but a bug.
Debian has `mtools` as a dependency of `gparted`. Other distros like `arch` and `aeryn` don't include `mtools` as a dependency...
So this annoying `yellow` label confuses a lot of people coming to linux from windows.
18 • Anti-virus (by Chris on 2026-03-02 16:57:47 GMT from France)
> Anti-virus mostly guards against programs or files which are downloaded from untrusted sources and then run unknowingly. Since almost all applications on a Linux system are fetched from curated sources, it is quite rare for a user to end up with a malicious program on their system.
Is it 2012 now or 2026? I wouldn't call snapcraft.io or Flathub "curated" sources. There were multiple instances of malware in the Snap Store: https://blog.popey.com/2026/01/malware-purveyors-taking-over-published-snap-email-domains/. Flathub have some human review, but mostly for initial package submissions, cf. https://docs.flathub.org/blog/app-safety-layered-approach-source-to-user. The updates are not thoroughly reviewed: https://docs.flathub.org/blog/app-safety-layered-approach-source-to-user. The sandboxing model of Flatpak is flawed because many packages require the filesystem write access permission which is not restricted enough and enables trivial sandbox escape.
19 • Aeryn OS and RAM usage (by Chris on 2026-03-02 17:12:30 GMT from Sweden)
@8
> Whatever happened to lean Linux desktops? All of them are memory hogs nowadays.
I guess it is mostly because of Qt 6 in case of Plasma 6. Of course the Qt Company wouldn't optimize their framework for memory footprint unless their paid customers demand this and pay for the optimization.
20 • Firewall (by Chris on 2026-03-02 17:19:18 GMT from Sweden)
@14:
> You'd need to specifically block all outgoing traffic and permit just applications/destinations/ports you approve of to accomplish what you suggest. Virtually no one, outside of a corporate network, does this.
I think it is not usually feasible to block outgoing traffic globally for the entire computer, but it is certainly useful to whitelist outgoing destinations for an isolated security domain (a container, virtual machine or application sandbox).
21 • Sources (by Jesse on 2026-03-02 17:34:06 GMT from Canada)
@18: " I wouldn't call snapcraft.io or Flathub "curated" sources."
Why wouldn't you? They are curated sources.
"There were multiple instances of malware in the Snap Store"
That doesn't mean it's not curated. Almost every repository (distro-specific or otherwise) has, at some point, had malware sneak in. Curated does not mean 100% secure, it means checked over so that _most_ malware doesn't get through. And, if malware is discovered, it's quickly removed. No security approach is 100%.
"The sandboxing model of Flatpak is flawed because many packages require the filesystem write access permission which is not restricted enough and enables trivial sandbox escape."
This has nothing to do with whether software is curated. You're talking about default sandboxing options which are a whole other topic and can be adjusted as the user requires.
22 • Sources (by Chris on 2026-03-02 18:10:07 GMT from Poland)
@21: "Why wouldn't you?"
Because they allow people (including pseudonymous persons) to publish software without either doing enough review or really establishing the trustworthiness of the upstream source. In the traditional Linux distribution model the trusted maintainers are (morally) responsible to do the former or the latter.
They can be considered curated if the user installs "verified" packages only, but this mode is not the default and many popular well-known packages are not verified.
"You're talking about default sandboxing options which are a whole other topic and can be adjusted as the user requires."
How can the user adjust which directories or files are writable by a Flatpak bundle? Is this setting easily accessible in the Flatpak GUI?
23 • Firewall and security in general (by Zyber on 2026-03-02 20:35:08 GMT from United States)
Some of you will hate the fact I used an AI, but I am not against AI's only the rushing, misuse of AI's not too mention the issues we now have with the high cost of things like ram, which most likely will end up in one of many ghost data centers, in my opinion. Anyways here is this.
I’ve been thinking a lot about our community's approach to security lately. I wanted to word this carefully because I sometimes struggle to relay my message without it coming across the wrong way, so I worked with Gemini (AI) to help me organize these thoughts.
We use Linux for digital sovereignty, but that ownership isn't complete without a solid perimeter. In the current landscape, a 'default' install is just the starting point. Taking a few minutes to configure a strict firewall and hardening your environment isn't about being paranoid—it’s about closing the door to your own house.
There is a lot of noise suggesting that security is 'too complex' or that 'Linux is safe enough out of the box,' but we shouldn't let the 'ease of use' argument become an excuse for being insecure by default. Let's make high-wall security our community standard, not a niche hobby. Secure your build, then enjoy the peace of mind.
24 • Flatpak (by Chris on 2026-03-02 20:39:48 GMT from United States)
@21
After reading https://docs.flathub.org/docs/for-app-authors/requirements and https://blogs.gnome.org/mcatanzaro/2025/07/21/fedora-must-carefully-embrace-flathub/ the review process by Flathub appears to be much better than I assumed, but I think there is still one important deficiency compared to the traditional approach. The dependencies in the traditional model have the same status as application packages, but in the Flathub model they appear to be less curated (at least in practice) compared to the application source code proper, if I understand correctly.
25 • Firewall (by Chris on 2026-03-02 21:18:50 GMT from Sweden)
"However, some desktop distributions choose not to enable a firewall by default since they also are not running any Internet-facing network services and a firewall is redundant in such a situation."
While it may be better from the point of security not to have any Internet-facing services, it is also sad from the perspective of user autonomy and dependence on centralized Big Tech services. Imagine a world where network services are commonly hosted locally (without ever requiring a VPS), running unprivileged and isolated, maybe in small VMs, configured by GUI front-ends and being able to be adequately administered by non-tech users...
26 • Firewall / security (by Keith S on 2026-03-03 03:22:55 GMT from United States)
I run a pretty basic pf configuration on my OpenBSD laptop. I use ssh to update a small static website on a VPS so I have it configured just for that, blocking literally everything else. I agree with those above who argue for more care (rather than assuming everything is OK) in securing your computers. It doesn't have to be an ordeal of reading and fiddling for hours trying to set it up. On most Linux distros you can set up a basic firewall with a few clicks.
OpenBSD warns that their packages don't receive the same level of review that the base OS does, and I think that is probably at least as true for most Linux distros. I have never used flatpaks or snap packages, since I've never needed anything that I couldn't find in Debian repos. Malicious packages are still possible from there obviously.
27 • Snaps (by Jobe314 on 2026-03-03 05:10:19 GMT from Australia)
"That doesn't mean it's not curated. Almost every repository (distro-specific or otherwise) has, at some point, had malware sneak in. Curated does not mean 100% secure, it means checked over so that _most_ malware doesn't get through. And, if malware is discovered, it's quickly removed. No security approach is 100%."
This is a bit diengenious isn't it? You make it sound as though malware is an ever present issue in Debian repos or in the main Arch repository (not AUR) as much as it is in Snaps/Flatpaks. However this isn't true.
The number of fake Snaps/Flats (and most likely also Appimages) that are impersonating real applications but are instead malware is much much higher, by an order of magnitute than in normal distro repos.
You can't say because of the XZ Utils issue, that this is the same is hundreds of compromized Snaps/Flatpaks.
As for your claim that when malware is discovered it is removed, so what? The same malware shows up again with a different repo name or app name. The curated aspect is also not true. Nobody in Snaps or Flatpaks checks every single app, and checks the source code for potential malware.
"Snaps are published in the Canonical-run Snap Store. Anyone can sign up for an account"
Snap store and Flatpaks are full of fake crypto wallets just waiting for a confused user to download them and lose their life savings.
Case above: An application called “Exodus” was published in the Canonical Snap store on 6th February 2024.
Early on Sunday 12th February a new Snapcraft forum user named “castle” started a short thread titled “Exodus - Movement Exod”. In it, they enquired:
Can anyone tell if the Exodus wallet in Ubuntu’s software store is a scam? My wallet is empty after recovering and it shows a recent transaction of my entire balance sent to an address. I never made this transaction.
The Snap was indeed a scam and malware. The package was not scanned before being available for download. This is happening right now, still, with other packages and apps. Nothing has changed. The issue above was only discovered because a user lost their money, not because of any curation or safeguards from Snaps.
Whatever safe guards are supposedly offered by Snaps/Flatpaks and Appimages, they are immediately nullified by the fact that they turn Linux, which is by design more secure than Windows due to app permissions, into Windows by creating these "executable" style apps full of unchecked dependency binaries outside of the distro repositories.
Snaps, Flatpaks and Appimages have severely degraded the security for users, not improved them.
28 • Future of Linux desktops (by Mykel Wayne on 2026-03-03 05:59:43 GMT from United States)
While it may seem, to me anyway, that the Linux desktops are frequently following the MS way, I personally prefer the less-is-more method of desktop usage. To me, that means avoiding a few of the more common desktop environments.
The two biggest desktops (source code and runtime) are Gnome and Plasma. I gave up on Gnome many years ago. Partly because the early versions of GTK and GTK2 were tight and performed well on many systems. Gtk 3.x and higher versions lost much of that advantage simply because they require more processing power. KDE has similar issues.
Sadly, AFAIKT, C++, KDE and Gnome are part of the problem. Well, I guess if you are happy with any of these software products then they should be fine for your use. This mostly requires a faster CPU, extra RAM and storage space. In other words, a more recent computer and the newer, the better.
Once again, IMHO, I find that XFCE4 provides a nice desktop. Alternatives also include window managers and the inclusion of system monitors. Of course, my preferred Linux is Artix. Not only does it eliminate the need for overpowered init systems, but the variety of available software is only limited by the various developer's imagination plus the user's skill and their software needs.
One may also prefer the newest desktop, Cosmic, developed by Pop-OS. Here are my issues with that. First, it is new and still in development. Sure, it might be a great desktop eventually, but, it doesn't take advantage of certain softwares that I am used to using. First, I like the dorp-down terminal that software such as xfce4-terminal, yakuake and a few other shells I have used. A quick set of keystrokes, in my case, [CTRL]+[`] brings up a terminal in no time. From there I can launch midnight commander, Yay and a number of other utilities that run faster from the CLI.
FWIW, the desktop that works for you is your best choice. Sooner or later you will find that it is time to upgrade your hardware. Personally, I find that computers can be expensive or worse, of limited power. Considered the modern laptop. Its CPU is limited due to heat and power consumption.
Just my 2 cents worth of experience. I am not a new Linux user. In fact, I have used linux since version one. Most of my computers have been built by me and Linux gave me the reason to avoid proprietary software with the exception of installation and/or maintenance of MS products.
29 • Safety and security (by sam on 2026-03-03 09:01:56 GMT from Australia)
Apologies as this sidetracks somewhat from firewall and such. I have searched on the internet but hanen't gotten to something that answers my question simply. Question: Is there an approach or way for a novice linux user to know if a distro is 'safe' to use? Or there is not really an easy answer and simplest is something like to use it and get involved? For example, i saw Lilidog come up in last month's list and gave it a try. And liked it. However, i wonder how safe these 'small' or 'independant developers' distros are. I understand no one goes and reads through all the codes to tell you, but wondered if there is a way to know, for someone who only knows pretty basic linux workings. Would appreciate any help, even if it is soemthing like 'there is no way to tell unless you know what to look for 'technically' in the distro'.
30 • Safety and security (by sam on 2026-03-03 09:04:56 GMT from Australia)
when i say 'safe' i'm talking about things like phoning home, data leaks, etc - which the developer might have put in and we use without knowing. Until someone catches them i guess.
31 • safety (by Jobe314 on 2026-03-03 09:47:15 GMT from Australia)
@30
Nobody knows. The only thing you can do to check is check network traffic.
Install Wireshark and analayze the network data.
This is why it's better to take say Debian netinstall, customize it yourself with Openbox. That way you know for sure there is nothing nefarious happening.
32 • @29 Sam (by Zyber on 2026-03-03 12:26:52 GMT from United States)
There is no one perfect Distro. Some are better then others, some have more security tools by default then others. Linux is just safer and more secure then MS Windows. But it is not 100%, Nothing is. Keep it simple until you get use to things. Look at changing your dns to something like cloudflare or quad9 rather than your ISP's default. And also check out a program called AdGaurd. Start there. I am not currently using MX 25.1 Linux. This is the only one I got to work with my cut and paste tower set up. Not all of us have money to get the latest and greatest, so we make do. MX has conky by default and you can monitor your network, etc.
Here is a trick for all looking at security. Nothing is 100% secure. So why bother one might ask? It is to make it so someone looks at your computer, says wow ok, this is a lot to get through.... Then they look over and see ten MS windows computers and say, yeah lets go there instead, it is easier. See what I am saying? Make it too much of a pain for someone to attack you so they move on.
33 • Firewall (by Slappy McGee on 2026-03-03 14:55:24 GMT from United States)
I've never used one regularly. I have enabled it a time or two early on in my Linux journey years ago, but not recently.
I do like full disc encryption at installation. Thing is, in 30 years now of Linux distros and BSD projects on all of the various machines I've owned, I've never seen an exploit or had a virus or any other breach of any kind at all. I don't frequent sites in categories that have a reputation from spreading such crap, and I do not download files directly to the computers I use but have always had a "collection point" for iso files etc, then I scan them for nasty stuff then side load to the machines I will deploy, install, or otherwise use them on.
Firewalls? Not against them of course, just don't deploy them as they seem not needed for my purposes.
34 • Correction for my reply, 32.... (by Zyber on 2026-03-03 16:44:58 GMT from United States)
It should ready I AM using MX linux. Not sure where the not came in but this is why I like to use AI to help me correct what I did. But I am using MX linux and it is based on Debian.
35 • Flathub (by Chris on 2026-03-03 18:44:10 GMT from France)
@27:
> Snap store and Flatpaks are full of fake crypto wallets just waiting for a confused user to download them and lose their life savings.
While there may be malicious Flatpak packages distributed elsewhere, no malware applications have been discovered in Flathub so far, as far as I know. As I commented earlier, there is a review process in Flathub - maybe not exhaustively comprehensive for the updates, but it appears to prevent overt outright malware from being distributed through this channel.
36 • Firewalls (by Jimbo on 2026-03-03 21:51:26 GMT from New Zealand)
I run on a separate I5 4th Gen Intel box Opensense, with ZenArmor and CrowdSec - works great.
37 • Snaps (by Jobe314 on 2026-03-03 21:55:36 GMT from Australia)
@35
A recently discovered vulnerability (CVE-2024-32462) in Flatpak could allow malicious applications to escape the sandbox and execute code on the underlying system.
This vulnerability affects Flatpak versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8.
I hope distros have patched this since this vulnerability was discovered.
Perhaps no malware has yet been found in Flatpaks, officially, however, the real issue is the same as Snaps and Appimages; anyone can publish whether the app is verified or not.
When the app is not verified, which is most apps on Flathub, they are made by someone other than the official developers; and this is where the crux of the problem lies: trust.
It is the same situation as downloading an .exe from someone and hoping it is not malware.
The only way to trust unverified Flatpaks....go the publishers github repo (if they have one), and look at the code. If you are not a programmer well, tough i guess. You need to decide whether to use the package or not.
Personally this situation is ridiculous. Laziness somehow brought Linux to this point. What is wrong with the normal model of having distro repos and pulling any required dependencies? Why was that a problem?
Because .... what .... convenience of portability of apps? So now we have a Windows situation on Linux.
That's some progress.
38 • Flatpaks and snaps vs repos (by Keith S on 2026-03-03 23:58:04 GMT from United States)
@37 My recollection is that Ubuntu (Canonical) and others were unhappy with the Debian repos because they were not updated frequently enough, either apps and/or dependencies, so they made a way to push out the latest releases of everything with snaps (Ubuntu) and flatpak (others). I could be wrong about this, though, since I made a decision back when this became the new thing not to use anything other than the standard repos and I didn't pay close attention to all the details. Again, I've never needed anything outside of the Debian repos on Linux, so it has always been good enough for me. Heck, OpenBSD's ports at about 1/6th the size of Debian's has everything I need. But apparently others have a much different view of the utility of the standard repos whether Debian or Fedora/RHEL or AUR or others.
I guess if I really had a need for some "exotic" packages, I would use NixOS, since they have a good solution for avoiding dependency hell when running multiple versions of the same package or multiple packages with similar dependencies.
39 • traffic jam (by We all float down on 2026-03-04 07:45:02 GMT from Netherlands)
@31 While I don't firewall currently I do sometimes inspect traffic to block insanity, for instance when I see a complete Smalltalk/Squeak system/image pass (in terms of data, unfortunately) to simply check a bank account. Every. Single. Time.
Can we replace this ludicrous Frankenstein web with remote X11/VNC yet?
40 • Security (by Jan on 2026-03-04 10:23:01 GMT from Netherlands)
In the dicussions it is assumed that if you stick to the distro repository, you are safe.
However this is only true if the repository maintainers are always 100% integer.
In the past I have concluded that there are distros with sneaky/malicous motives.
The only way out of this risk is to use distros with the multi-eyes-principle, so with bigger management teams and a solid long-time backing.
41 • Distros with sneaky/malicous motives (by Slappy McGee on 2026-03-04 14:11:30 GMT from United States)
@40 Forgive me if I've missed the list of those distros with such nefarious motives. It would of course be irresponsible of anybody with such a list to not make it known to the Linux user population.
42 • Firewall? No, thanks. (by JeffC on 2026-03-04 19:36:07 GMT from United States)
My distro of choice came with the installed firewall enabled.
The settings made it impossible to access the internet with the default Firefox web browser.
Rather than spending time on my phone looking up how to change the firewall settings on the internet I simply disabled the firewall.
When something breaks a thing I regularly use I discard the thing that broke it.
43 • distros (by Jobe314 on 2026-03-04 21:17:26 GMT from Australia)
@40 @41
I think what is implied here are one man "spins" which are on sourceforge without sourcecode, something like that, where you really just have to blindly trust the person putting the spin out and hope they didnt' ship it with a keylogger or worse.
Of course, small spins/distros will always have a trust issue compared to behmouths like Arch, Debian, Fedora, OpenSuse.
The more eyes on the code, the more trustworthy it tends to be.
For small one man spins, I would strongly recommend you use Github, make the source available, document changes.
44 • extreme security (by delinquenet on 2026-03-04 22:30:10 GMT from India)
Single firewalls aren't enough for persistent threats.
This is the extreme of what it takes to keep out childish hackers who just want to attack & disrupt anything & everything:
Security Onion - 14.7GB. network security monitoring, packet capture, logs management, intrusion honeypots. And yes, even an "Onion AI" as a security assistant.
45 • Firewall & security (by sverige on 2026-03-05 01:41:54 GMT from Sweden)
ChromeOS doesn't have any firewall available. You can put a firewall on your home network of course. And there are Chrome extensions that can help protect from bad sites, like Privacy Badger and U-Block Origin, both of which i use on my Chromebook. But you don't need to worry about their apps.
The tradeoff of sharing data with Google is worth it in my case. They already have all the information on me, even with EU privacy laws. And they sell it. Once you figure out that you can't stop it without just staying off the Internet entirely, you might as well enjoy the convenience of using their services. I know that will make some here angry though.
As for security, last year Google was part of the 16 billion password breach with Facebook and Apple and others. The answer is to change your passwords regularly and to use a good password manager to generate and store strong passwords. I like Proton but really Google has a great one too. Keepass is good too.
46 • @45, Firewall & security (by Bobo on 2026-03-05 09:47:23 GMT from United States)
@45, A strong password or changing it regularly are no help with breaches at Google, et al. Once they've accessed you password, they have it whether it's one day or two years old, and whether it's weak or strong. Strong passwords make it more difficult to guess them, but that's all. Since they are harder to remember, a password manager may be useful. Better security is 2 factor authentication. At any log-in attempt you get a pin/code either on your phone or another email account, which has to be entered to log in. Not foolproof, but much better. Even without 2FA, any log-in attempt outside of my usual machines or browsers will prompt a warning sent to my phone or email.
As for ChromeOS, since it's mostly web-based, and only a few known offline apps are allowed to run, there little is any chance of infection.
47 • 2FA & security (by Anonymous on 2026-03-05 14:33:46 GMT from Poland)
@45: "Once you figure out that you can't stop it without just staying off the Internet entirely, you might as well enjoy the convenience of using their services."
But it _is_ possible to avoid it it without staying offline.
@46: "Better security is 2 factor authentication."
If 2FA breaks (e.g not receiving SMS or losing access to the secondary e-mail) you are locked from your account, and the support is unlikely to help you unless you are a paid customer.
"As for ChromeOS, since it's mostly web-based, and only a few known offline apps are allowed to run, there little is any chance of infection".
It's just Linux under the hood. Chrome exploits run just fine on it. The hacker does not need to write the exploit herself or himself, s(he) can buy it.
48 • Private data illusion (by sverige on 2026-03-05 14:55:49 GMT from Sweden)
@47 "But it _is_ possible to avoid it it without staying offline."
I used to believe this too. I put a lot of effort into hiding or obscuring my personal information online for many years. Then one day I learned that my bank knew everything about me going back to the 90s, even though they had only been my bank for five years. Not all of it was exactly public information either.
The real question is not how to hide personal data. It is, how do you know whether "they" (whoever it may be) already have the information you think should be private? The truth is that you don't know what they already have. And further, you don't know all of the methods and means they have for continuing to gather data that you consider to be private. That is the reality of information asymmetry.
Personally I have come to the conclusion that it is better to deal with the reality that our overlords know everything about us while we know basically nothing about them. And if you are relying on laws and the government to keep that information out of everyone's hands, you have already demonstrated that you don't understand how the enemy operates. It does change the way you think about things, but it doesn't have to change the way you live.
49 • Small distros and security (by Slappy McGee on 2026-03-05 17:22:27 GMT from United States)
@43 @40 @41 So we're assuming the Big Distros are innocent of the exploits (intentionally) barnacled or woven into their projects, and that "one man spins" are or can be the main players in all this (Microsoft aside, of course.. and Apple?).
My favorite one man project is Eric Turgeon's GhostBSD. He seems to leave security largely up to the users. No disc encryption available, for now, but of course you can set a firewall. The reason I bring that up is that I am not sure what is expected of developers of small projects other than to NOT intentionally cause security to be exploited for whatever gains these characters want. It seems like any project/distro can be the template for exploitation under a different name by somebody who wants to do that.
I wonder if a poll here at DW could elicit an honest population of Linux/BSD users who know they have been compromised. I'd like to see that, and the type of exploit(s) they experienced.
I've seen none of it in over 30 years of using computers at work and home. But, I suppose it could be easily said that perhaps it happened and I did not know it happened (some sort of relay point unknown to me that caused havoc downstream from my devices?).
50 • Private data (by Anonymous on 2026-03-05 17:53:10 GMT from Sweden)
@48
I doubt that Google sold your private data to this bank. More likely they got it from a credit bureau. Maybe you have left a resume online - not exactly published, but available to potential employers...
51 • distros (by Jobe314 on 2026-03-05 22:26:12 GMT from Australia)
@49
"So we're assuming the Big Distros are innocent of the exploits (intentionally) barnacled or woven into their projects, and that "one man spins" are or can be the main players in all this (Microsoft aside, of course.. and Apple?)."
XZ Utils is part of the thousands of applications within the linux ecosystem. As far as I know, each distro (Debian, Arch, Fedora etc) repackage these applications in their own repo format (.deb, rpm etc).
If there is an exploit, all Linux distros and spins are affected equally until the issue is rectified. Which is what happened in this regard to XZ.
My point specifically regarding one man distros/spins of that nature, is that they are usually not on Github or Codeberg or Gitlab, where the source code can be inspected and changelogs analyzed. Most spins for that matter are on sourceforge and usually only offer the .iso. There is no verify, just trust.
Large distros, the main ones are all transparent in that, you can look at the source if you so wanted to. Considering how many eyes are on the codebase for Debian, Arch etc, it is very unlikely for an exploit to sneak into the main system and so far no barnacled or intentional exploits have been discovered to my knowledge.
XZ utils is an application, and not what i would consider to be part of the core codebase of Debian or Arch.
If there is some specific exploit you know of which is part of the main Linux Kernel or distro codebase please share it with us.
In opensource the reality is; the more eyes you have on a project the safer it tends to be. That is the rule. Exceptions will always pop up of course, but if you have a 1000 developers on Arch, it is really highly unlikely someone will be able to sneak in something.
A one man spin for example is Archbang, D77void, GhostBSD and so on.
To Eric Turgeon's credit, he has a repo on Github for transparency.
Many other spins do not. And that is an issue for trustworthiness.
52 • @47 • 2FA & security (by Bobo on 2026-03-06 06:58:01 GMT from United States)
@47, "If 2FA breaks (e.g not receiving SMS or losing access to the secondary e-mail) you are locked from your account, and the support is unlikely to help you unless you are a paid custom" There are different way to get past a lost phone or email. For example: Backup codes. Or some websites will offer a choice, email or phone, others also have security questions which to which you have previously provided answers.
"It's just Linux under the hood. Chrome exploits run just fine on it." Chrome exploits affect the browser, but have little chance to affect the system. ChromeOS has; Verified Boot: On every startup, the system checks the integrity of the OS. If any modifications are detected, it self-repairs or refuses to boot. Sandboxing: Each tab and application runs in its own isolated environment, preventing a threat in one area from spreading to the rest of the system. Read-Only Root Filesystem: The core system files are stored in a read-only partition, making it nearly impossible for malware to achieve permanent persistence.
53 • @48 • Private data illusion (by Tikoy on 2026-03-06 07:26:53 GMT from Switzerland)
@48, You brought back a memory, when trying to re-establish access to a credit card on the phone with bank security. Went through a bunch of questions. I had moved around a bit, and I was asked about places I had half-forgotten. This was a good 25 years ago, before the omnipresence of Google, so they had nothing to do with it. How did the bank know? Credit bureaus, of course.
There's a difference between privacy and anonymity. If you want absolute privacy, get off the grid and go live in a forest or far-off island somewhere. I stopped worrying about privacy long ago. But often I want to be anonymous, or as obscure as possible, and I take pains to do that. My public identity is out there for all to see, but for most of my time on the web, I try to stay as anonymous as I can using available methods.
54 • Trustworthiness (by Eric on 2026-03-06 14:29:56 GMT from Germany)
@51
> XZ utils is an application, and not what i would consider to be part of the core codebase of Debian or Arch.
It also includes a library, and if you run "apt-cache show xz-utils" then the output contains "Priority: standard" on Debian and "Priority: required" or "Priority: important" on Ubuntu.
> Considering how many eyes are on the codebase for Debian, Arch etc, it is very unlikely for an exploit to sneak into the main system and so far no barnacled or intentional exploits have been discovered to my knowledge.
https://lwn.net/Articles/1032732/ - this may not be malicious but functionally spyware-like. Of course, the "stardict-plugin" package does not belong to the base system and is not popular.
Number of Comments: 54
Display mode: DWW Only • Comments Only • Both DWW and Comments
| | |
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Archives |
| • Issue 1163 (2026-03-09): KaOS 2026.02, TinyCore 17.0, NuTyX 26.02.2, Would one big collection of packages help?, Guix offers 64-bit Hurd options, Linux communities discuss age delcaration laws, Mint unveils new screensaver for Cinnamon, Redox ports new COSMIC features |
| • Issue 1162 (2026-03-02): AerynOS 2026.01, anti-virus and firewall tools, Manjaro fixes website certificate, Ubuntu splits firmware package, jails for NetBSD, extended support for some Linux kernel releases, Murena creating a map app |
| • Issue 1161 (2026-02-23): The Guix package manager, quick Q&As, Gentoo migrating its mirrors, Fedora considers more informative kernel panic screens, GhostBSD testing alternative X11 implementation, Asahi makes progress with Apple M3, NetBSD userland ported, FreeBSD improves web-based system management |
| • Issue 1160 (2026-02-16): Noid and AgarimOS, command line tips, KDE Linux introduces delta updates, Redox OS hits development milestone, Linux Mint develops a desktop-neutral account manager, sudo developer seeks sponsorship |
| • Issue 1159 (2026-02-09): Sharing files on a network, isolating processes on Linux, LFS to focus on systemd, openSUSE polishes atomic updates, NetBSD not likely to adopt Rust code, COSMIC roadmap |
| • Issue 1158 (2026-02-02): Manjaro 26.0, fastest filesystem, postmarketOS progress report, Xfce begins developing its own Wayland window manager, Bazzite founder interviewed |
| • Issue 1157 (2026-01-26): Setting up a home server, what happened to convergence, malicious software entering the Snap store, postmarketOS automates hardware tests, KDE's login manager works with systemd only |
| • Issue 1156 (2026-01-19): Chimera Linux's new installer, using the DistroWatch Torrent Corner, new package tools for Arch, Haiku improves EFI support, Redcore streamlines branches, Synex introduces install-time ZFS options |
| • Issue 1155 (2026-01-12): MenuetOS, CDE on Sparky, iDeal OS 2025.12.07, recommended flavour of BSD, Debian seeks new Data Protection Team, Ubuntu 25.04 nears its end of life, Google limits Android source code releases, Fedora plans to replace SDDM, Budgie migrates to Wayland |
| • Issue 1154 (2026-01-05): postmarketOS 25.06/25.12, switching to Linux and educational resources, FreeBSD improving laptop support, Unix v4 available for download, new X11 server in development, CachyOS team plans server edtion |
| • Issue 1153 (2025-12-22): Best projects of 2025, is software ever truly finished?, Firefox to adopt AI components, Asahi works on improving the install experience, Mageia presents plans for version 10 |
| • Issue 1152 (2025-12-15): OpenBSD 7.8, filtering websites, Jolla working on a Linux phone, Germany saves money with Linux, Ubuntu to package AMD tools, Fedora demonstrates AI troubleshooting, Haiku packages Go language |
| • Issue 1151 (2025-12-08): FreeBSD 15.0, fun command line tricks, Canonical presents plans for Ubutnu 26.04, SparkyLinux updates CDE packages, Redox OS gets modesetting driver |
| • Issue 1150 (2025-12-01): Gnoppix 25_10, exploring if distributions matter, openSUSE updates tumbleweed's boot loader, Fedora plans better handling of broken packages, Plasma to become Wayland-only, FreeBSD publishes status report |
| • Issue 1149 (2025-11-24): MX Linux 25, why are video drivers special, systemd experiments with musl, Debian Libre Live publishes new media, Xubuntu reviews website hack |
| • Issue 1148 (2025-11-17): Zorin OS 18, deleting a file with an unusual name, NetBSD experiments with sandboxing, postmarketOS unifies its documentation, OpenBSD refines upgrades, Canonical offers 15 years of support for Ubuntu |
| • Issue 1147 (2025-11-10): Fedora 43, the size and stability of the Linux kernel, Debian introducing Rust to APT, Redox ports web engine, Kubuntu website off-line, Mint creates new troubleshooting tools, FreeBSD improves reproducible builds, Flatpak development resumes |
| • Issue 1146 (2025-11-03): StartOS 0.4.0, testing piped commands, Ubuntu Unity seeks help, Canonical offers Ubuntu credentials, Red Hat partners with NVIDIA, SUSE to bundle AI agent with SLE 16 |
| • Issue 1145 (2025-10-27): Linux Mint 7 "LMDE", advice for new Linux users, AlmaLinux to offer Btrfs, KDE launches Plasma 6.5, Fedora accepts contributions written by AI, Ubuntu 25.10 fails to install automatic updates |
| • Issue 1144 (2025-10-20): Kubuntu 25.10, creating and restoring encrypted backups, Fedora team debates AI, FSF plans free software for phones, ReactOS addresses newer drivers, Xubuntu reacts to website attack |
| • Issue 1143 (2025-10-13): openSUSE 16.0 Leap, safest source for new applications, Redox introduces performance improvements, TrueNAS Connect available for testing, Flatpaks do not work on Ubuntu 25.10, Kamarada plans to switch its base, Solus enters new epoch, Frugalware discontinued |
| • Issue 1142 (2025-10-06): Linux Kamarada 15.6, managing ZIP files with SQLite, F-Droid warns of impact of Android lockdown, Alpine moves ahead with merged /usr, Cinnamon gets a redesigned application menu |
| • Issue 1141 (2025-09-29): KDE Linux and GNOME OS, finding mobile flavours of Linux, Murena to offer phones with kill switches, Redox OS running on a smartphone, Artix drops GNOME |
| • Issue 1140 (2025-09-22): NetBSD 10.1, avoiding AI services, AlmaLinux enables CRB repository, Haiku improves disk access performance, Mageia addresses service outage, GNOME 49 released, Linux introduces multikernel support |
| • Issue 1139 (2025-09-15): EasyOS 7.0, Linux and central authority, FreeBSD running Plasma 6 on Wayland, GNOME restores X11 support temporarily, openSUSE dropping BCacheFS in new kernels |
| • Issue 1138 (2025-09-08): Shebang 25.8, LibreELEC 12.2.0, Debian GNU/Hurd 2025, the importance of software updates, AerynOS introduces package sets, postmarketOS encourages patching upstream, openSUSE extends Leap support, Debian refreshes Trixie media |
| • Issue 1137 (2025-09-01): Tribblix 0m37, malware scanners flagging Linux ISO files, KDE introduces first-run setup wizard, CalyxOS plans update prior to infrastructure overhaul, FreeBSD publishes status report |
| • Issue 1136 (2025-08-25): CalyxOS 6.8.20, distros for running containers, Arch Linux website under attack,illumos Cafe launched, CachyOS creates web dashboard for repositories |
| • Issue 1135 (2025-08-18): Debian 13, Proton, WINE, Wayland, and Wayback, Debian GNU/Hurd 2025, KDE gets advanced Liquid Glass, Haiku improves authentication tools |
| • Issue 1134 (2025-08-11): Rhino Linux 2025.3, thoughts on malware in the AUR, Fedora brings hammered websites back on-line, NetBSD reveals features for version 11, Ubuntu swaps some command line tools for 25.10, AlmaLinux improves NVIDIA support |
| • Issue 1133 (2025-08-04): Expirion Linux 6.0, running Plasma on Linux Mint, finding distros which support X11, Debian addresses 22 year old bug, FreeBSD discusses potential issues with pkgbase, CDE ported to OpenBSD, Btrfs corruption bug hitting Fedora users, more malware found in Arch User Repository |
| • Issue 1132 (2025-07-28): deepin 25, wars in the open source community, proposal to have Fedora enable Flathub repository, FreeBSD plans desktop install option, Wayback gets its first release |
| • Issue 1131 (2025-07-21): HeliumOS 10.0, settling on one distro, Mint plans new releases, Arch discovers malware in AUR, Plasma Bigscreen returns, Clear Linux discontinued |
| • Issue 1130 (2025-07-14): openSUSE MicroOS and RefreshOS, sharing aliases between computers, Bazzite makes Bazaar its default Flatpak store, Alpine plans Wayback release, Wayland and X11 benchmarked, Red Hat offers additional developer licenses, openSUSE seeks feedback from ARM users, Ubuntu 24.10 reaches the end of its life |
| • Issue 1129 (2025-07-07): GLF OS Omnislash, the worst Linux distro, Alpine introduces Wayback, Fedora drops plans to stop i686 support, AlmaLinux builds EPEL repository for older CPUs, Ubuntu dropping existing RISC-V device support, Rhino partners with UBports, PCLinuxOS recovering from website outage |
| • Issue 1128 (2025-06-30): AxOS 25.06, AlmaLinux OS 10.0, transferring Flaptak bundles to off-line computers, Ubuntu to boost Intel graphics performance, Fedora considers dropping i686 packages, SDesk switches from SELinux to AppArmor |
| • Issue 1127 (2025-06-23): LastOSLinux 2025-05-25, most unique Linux distro, Haiku stabilises, KDE publishes Plasma 6.4, Arch splits Plasma packages, Slackware infrastructure migrating |
| • Issue 1126 (2025-06-16): SDesk 2025.05.06, renewed interest in Ubuntu Touch, a BASIC device running NetBSD, Ubuntu dropping X11 GNOME session, GNOME increases dependency on systemd, Google holding back Pixel source code, Nitrux changing its desktop, EFF turns 35 |
| • Issue 1125 (2025-06-09): RHEL 10, distributions likely to survive a decade, Murena partners with more hardware makers, GNOME tests its own distro on real hardware, Redox ports GTK and X11, Mint provides fingerprint authentication |
| • Issue 1124 (2025-06-02): Picking up a Pico, tips for protecting privacy, Rhino tests Plasma desktop, Arch installer supports snapshots, new features from UBports, Ubuntu tests monthly snapshots |
| • Issue 1123 (2025-05-26): CRUX 3.8, preventing a laptop from sleeping, FreeBSD improves laptop support, Fedora confirms GNOME X11 session being dropped, HardenedBSD introduces Rust in userland build, KDE developing a virtual machine manager |
| • Issue 1122 (2025-05-19): GoboLinux 017.01, RHEL 10.0 and Debian 12 updates, openSUSE retires YaST, running X11 apps on Wayland |
| • Issue 1121 (2025-05-12): Bluefin 41, custom file manager actions, openSUSE joins End of 10 while dropping Deepin desktop, Fedora offers tips for building atomic distros, Ubuntu considers replacing sudo with sudo-rs |
| • Issue 1120 (2025-05-05): CachyOS 250330, what it means when a distro breaks, Kali updates repository key, Trinity receives an update, UBports tests directory encryption, Gentoo faces losing key infrastructure |
| • Issue 1119 (2025-04-28): Ubuntu MATE 25.04, what is missing from Linux, CachyOS ships OCCT, Debian enters soft freeze, Fedora discusses removing X11 session from GNOME, Murena plans business services, NetBSD on a Wii |
| • Issue 1118 (2025-04-21): Fedora 42, strange characters in Vim, Nitrux introduces new package tools, Fedora extends reproducibility efforts, PINE64 updates multiple devices running Debian |
| • Issue 1117 (2025-04-14): Shebang 25.0, EndeavourOS 2025.03.19, running applications from other distros on the desktop, Debian gets APT upgrade, Mint introduces OEM options for LMDE, postmarketOS packages GNOME 48 and COSMIC, Redox testing USB support |
| • Issue 1116 (2025-04-07): The Sense HAT, Android and mobile operating systems, FreeBSD improves on laptops, openSUSE publishes many new updates, Fedora appoints new Project Leader, UBports testing VoLTE |
| • Issue 1115 (2025-03-31): GrapheneOS 2025, the rise of portable package formats, MidnightBSD and openSUSE experiment with new package management features, Plank dock reborn, key infrastructure projects lose funding, postmarketOS to focus on reliability |
| • Issue 1114 (2025-03-24): Bazzite 41, checking which processes are writing to disk, Rocky unveils new Hardened branch, GNOME 48 released, generating images for the Raspberry Pi |
| • Issue 1113 (2025-03-17): MocaccinoOS 1.8.1, how to contribute to open source, Murena extends on-line installer, Garuda tests COSMIC edition, Ubuntu to replace coreutils with Rust alternatives, Chimera Linux drops RISC-V builds |
| • Issue 1112 (2025-03-10): Solus 4.7, distros which work with Secure Boot, UBports publishes bug fix, postmarketOS considers a new name, Debian running on Android |
| • Full list of all issues |
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
| Random Distribution | 
Openfiler
Openfiler was a storage management operating system based on rPath Linux. It was powered by the Linux kernel and open source applications such as Apache, Samba, Linux Volume Management, ext3, Linux NFS and iSCSI enterprise target. Openfiler combines these ubiquitous technologies into a small, easy-to-manage solution fronted by a powerful web-based management interface. Openfiler allows building a Network Attached Storage (NAS) and/or Storage Area Network (SAN) appliance, using industry-standard hardware, in less than 10 minutes of installation time.
Status: Discontinued
|
| TUXEDO |
TUXEDO Computers - Linux Hardware in a tailor made suite
Choose from a wide range of laptops and PCs in various sizes and shapes at TUXEDOComputers.com. Every machine comes pre-installed and ready-to-run with Linux. Full 24 months of warranty and lifetime support included!
Learn more about our full service package and all benefits from buying at TUXEDO.
|
| Star Labs |
Star Labs - Laptops built for Linux.
View our range including the highly anticipated StarFighter. Available with coreboot open-source firmware and a choice of Ubuntu, elementary, Manjaro and more. Visit Star Labs for information, to buy and get support.
|
|
• 
• 
• 
• 
• 
• 
• 
