The Linux ecosystem is vast and diverse, offering a multitude of distributions to suit every need and preference. With hundreds of distros to choose from, it’s a pity that most are rarely mentioned while the popular ones are constantly being regurgitated.
This thread aims to celebrate this diversity and shine a light on smaller projects with passionate developers. I invite you to pitch your favorite underappreciated distro and share your experiences with those lesser-known Linux distributions that deserve more attention.
While there are no strict rules or banlists, I encourage you to focus on truly niche or exotic distributions rather than the more commonly discussed ones. Consider touching upon what makes your chosen distro unique:
- What features or philosophies set it apart?
- Why do you favor it over other distros, including the popular ones? (Beyond “It just works.”)
- In what situations would you recommend it to others?
Whether it’s a specialized distro for a particular use case or a general-purpose OS with a unique twist, let’s explore the road less traveled in the Linux landscape. Your insights could introduce fellow enthusiasts to their next favorite distribution!
After using Linux regularly for a couple years, I did a Linux From Scratch build just for fun. I found it a really good way to learn all of the key pieces of Linux and understand a little bit better how they all work together.
The way it’s setup, you get a choice to just copy paste commands and learn very little, or read the details and learn a bit more.
I never really used it for anything other than education.
Keeping it up to date and secure is almost prohibitively complicated, but I learned a lot from the process.I just looked at the project for the first time in a long time. It looks like they now have a section to track security vulnerabilities along with suggested changes to address them. Perhaps it could be viable as a distro, but I have no desire to go through the whole process again to try.May as well contribute my own 😜.
I’m an absolute sucker for exquisitely hardened distros. Hence, distros like Qubes OS and Kicksecure have rightfully caught my interest. However, the former’s hardware requirements are too harsh on the devices I currently own. While the latter relies on backports for security updates; which I’m not a fan of. Thankfully, there is also secureblue.
Contrary to the others, secureblue is built on top of an ‘immutable’ and/or atomic base distro; namely Fedora Atomic. By which:
- It’s protected against certain attacks.
- Enables it to benefit from more recent advancements and developments that benefit security without foregoing robustness.
If security is your top priority, Qubes OS is the gold standard. However, secureblue is a decent (albeit inferior) alternative if you prefer current and/or ‘immutable’/atomic distros.
I ran Qubes for a while, really enjoyed the way it integrated windows so I could use MS Office (mandatory job requirement) as apps rather than a VM as I normally do. I realise you can do something similar with Winapps for Linux but to have it baked in was rather nice.
Interesting. Thank you for sharing your experiences! Would you be so kind to elaborate on that experience? Did you like it? Are you still using it? Why or why not? Pros and Cons? Thank you in advance!
Please provide more of your criticisms for Kicksecure
First of all, apologies for delaying this answer.
Disclaimer:
- I’m not an expert. While I try to verify information and only accept it accordingly, I’m still human. Thus, some falsehoods may have slipped through, my memory may have failed me, and/or what’s found below could be based on outdated data.
- Additionally, I should note that I’m a huge nerd when it comes to ‘immutable’ distros. As a result, I’m very much biased towards secureblue, even if Kicksecure were to address all of their ‘issues’.
- Furthermore, for the sake of brevity, I’ve chosen to stick closely to the OOTB experience. At times, I may have diverged with Qubes OS, but Qubes OS is so far ahead of the others that it’s in a league of its own.
- Finally, it’s important to mention that -ultimately- these three systems are Linux’ finest when it comes to security. In a sense, they’re all winners, each with its use cases based on hardware specifications, threat models, and priorities. However, if forced to rank them, I would order them as:
Qubes OS >> secureblue >~ Kicksecure
Context: Answering this question puts me in a genuinely conflicted position 😅. I have immense respect for the Kicksecure project, its maintainers and/or developers. Their contributions have been invaluable, inspiring many others to pursue similar goals. Unsurprisingly, some of their work is also found in secureblue. So, to me, it feels unappreciative and/or ungrateful to criticize them beyond what I’ve already done. However, I will honor your request for the sake of providing a comprehensive and balanced perspective on the project’s current state and potential areas for improvement.
Considerations: It’s important to approach this critique with nuance. Kicksecure has been around for over a decade, and their initial decisions likely made the most sense when they started. However, the Linux ecosystem has changed dramatically over the last few years, causing some of their choices to age less gracefully. Unfortunately, like most similar projects, there’s insufficient manpower to retroactively redo some of their earlier work. Consequently, many current decisions might be made for pragmatic rather than idealistic reasons. Note that the criticisms raised below lean more towards the idealistic side. If resources allowed, I wouldn’t be surprised if the team would love to address these issues. Finally, it’s worth noting that the project has sound justifications for their decisions. It’s simply not all black and white.
With that out of the way, here’s my additional criticism along with comparisons to Qubes OS and secureblue:
- Late adoption of beneficial security technologies:
Being tied to Debian, while sensible in 2012, now presents a major handicap. Kicksecure is often late to adopt new technologies beneficial for security, such as PipeWire and Wayland. While well-tested products are preferred for security-sensitive systems, PulseAudio and X11 have significant exploits that are absent from PipeWire and Wayland by design. In this case, preferring the known threat over the unproven one is questionable.
- Qubes OS: Its superior security model makes direct comparisons difficult. However, FWIW, Qubes OS defaults for its VMs to Debian and Fedora. The latter of which is known to push new technologies and adopt them first.
- secureblue: Based on Fedora Atomic, therefore it also receives these new technologies first.
- Lack of progress towards a stateless[1] system:
Stateless systems improve security by reducing the attack surface and making the system more predictable and easier to verify. They minimize persistent changes, impeding malware’s ability to maintain a foothold and simplifying system recovery after potential compromises. While this is still relatively unexplored territory, NixOS’s impermanence module is a prominent example.
- Qubes OS: There’s a community-driven step-by-step guide for achieving this.
- secureblue: Based on Fedora Atomic, which has prioritized combating state since its inception[2]. Its immutable design inherently constrains state compared to traditional distros, with ongoing development promising further improvements.
- Deprecation of hardened_malloc:
This security feature, found in GrapheneOS, was long championed by Kicksecure for Linux on desktop. However, they’ve recently chosen to deprecate it.
- Qubes OS: Supports VMs with hardened_malloc enabled OOTB, for which Kicksecure used to be a great candidate.
- secureblue: Continues to support hardened_malloc and has innovatively extended its use to flatpaks.
- This paper provides a comprehensive (albeit slightly outdated) exposition on the matter. Note that it covers more than just this topic, so focus on the relevant parts.
- Colin Walters, a key figure behind Fedora CoreOS and Fedora Atomic, has written an excellent blog post discussing ‘state’.
Thank you. Stateless is a good idea, and I would personally like to see faster security updates on Debian (and by extension KickSecure). I haven’t been following them lately so I do not know their reasons for deprecating hardened malloc, I assume there’s an explanation for it.
Thanks for the note
Thank you for the quick reply!
Thank you.
It has been my pleasure 😊!
I haven’t been following them lately so I do not know their reasons for deprecating hardened malloc, I assume there’s an explanation for it.
Pragmatism 😅; at least, that’s how I interpret their justifications.
Thanks for the note
Again. it has been my pleasure 😊!