N.E.P.T.R

Sound like exactly what I have been wanting, though i will never use this fork for something so small and without a Flatpak.

You don’t have to sandbox he browser with Bubblejail if you don’t want. I was only suggesting it and providing instructions in case you wanted an extra layer of isolation.

The browser can’t create unprivileged namespaces because Flatpak blocks access to namespace creation. This DOES interfere with an important method of sandboxing used by browsers on Linux. It makes site isolation weaker, which could allow an attacker from a malicious site to steal information from any open tab, or possibly escape the sandbox. Browser sandboxes are multilayered for a reason, one less layer makes exploitation exponential easier. The Firefox Flatpak is official, but that doesn’t mean it is safe. Flatpak sandboxing is substantially less strong than a browser’s isolation strategy This because Flatpak is a general purpose sandbox mostly meant for making distribution of software easy by providing an identical environment across all Linux distros, not for rigid security. Browser’s provide a more fine grained sandbox that is designed around the threat model that the website is compromised/malicious and is attempting to hack you, since websites are effectively just apps. Don’t use Flatpak’d browsers at all, or the very least not as your default.

Dont install browsers as Flatpaks, very bad for security. Flatpaks use Bubblewrap, but that isnt the reason they degrade browser security. Bubblejail is an app that makes sandboxing with Bubblewrap easy and didn’t integer with the browser’s own sandbox (unlike Flatpak). I don’t know if Firefox supports hardened_malloc now.

To use Firefox, you need to use ujust with-standard-malloc firefox (or something like that). It also needs user namespaces (same with Mullvad VPN/Browser), run ujust set-unconfined-userns on

Follow these steps to make Firefox run with standard malloc:

For Firefox with no sandboxing …

• cp /usr/share/applications/firefox.desktop ~/.local/share/applications/firefox.desktop
• Edit the newly created file so any line that starts with Exec=firefox to Exec=ujust with-standard-malloc firefox

For Firefox with Bubblejail, assuming you have already created a profile named Firefox and generated the desktop entry. Edit the file ~/.local/share/bubblejail/instances/Firefox/services.toml and add the following snippet:

[debug]
raw_bwrap_args = [
    "--ro-bind",
    "/dev/null",
    "/etc/ld.so.preload",
    ]

I recommend Secureblue.

To install Firefox on Secureblue, run rpm-ostree install firefox To install Mullvad VPN, run ujust install-vpn, select Mullvad, wait for it to complete, and run rpm-ostree install mullvad-browser

For browsers, you obviously are going to install Mullvad and Firefox, but no need to install a Blink-based browser because it comes with Trivalent (significantly security hardened Chromium). Since Trivalent only supports MV3 you will need uBl Lite and NoScript supports MV3.

I recommend sandboxing your browsers (except Trivalent) using Bubblejail. For Mullvad/Firefox, create a Bubblejail instance using the config app, create a profile, give it access to Wayland, PulseAudio (sound), Pipewire (screenshare), and use slirp4netns, then run bubblejail generate-desktop-entry INSTANCE_NAME --desktop-entry /usr/share/applications/INSTANCE_NAME.desktop. I recommend adding access to ~/Downloads for the browsers.

Consult the FAQ for more tips/tricks and security toggles. Also use the ujust command line utility to configure the system.

Personally my favorite distros that I tried this year are the following:

General:

• Secureblue
• openSUSE Slowroll
• Fedora Workstation

Gaming:

• PikaOS
• CachyOS
• Nobara

I am willing to elaborate on my choices.

I have been liking CachyOS as well. I reluctantly switched from Fedora after I kept getting weird problems (definitely a “my PC” thing, I wish I could upgrade).

Features I like about Cachy:

• Auto-setup of snapper btrfs snapshoting (my fav feature of openSUSE) on all bootloaders (I like the simplicity of limine)
• Gaming ready fork of kernel-hardened, with some changes, including allowing use of unprivileged namespaces (needed by Bubblewrap/Flatpak/Firefox/Chromium to avoid the need of a SUID binary)
• AUR (cus it is Arch)
• Update service which updates from all installed sources (pacman, Flatpak, AUR)

What I wish was different:

• Inclusion of a full system Mandatory Access Control policy (SELinux preferably)
• Compatibility with hardened_malloc (idk why but on Cachy, GTK apps crash because glycin bubblwrap commands fail)

And I dont like GNU even more than systemd lol.

I much prefer the looks and feel of GTK4 libadwaita apps over Qt6. I switched to KDE Plasma after using GNOME for awhile because I wanted to see if I noticed any improvement in stability, I want to theme my apps, and I prefer to avoid extensions (it is a security risk). I still very much miss GNOME with the 3-4 extensions that I installed, it just felt so much more polished, consistent, and free of bugs and broken features (looking at you theme search and desktop animations installer).

My personal reasons for disliking systemd (note: I still use systemd):

• The lead developer of systemd has said multiple times that we should be fine with break POSIX if it means developing faster.
• systemd has massive attack surface, making it easier to exploit and result in privilege escalation. It is a highly complex and large codebase that really shouldnt be given the trust of PID 0
• systemd is not portable or modular.
• It only just barely got musl support. Hope to see it improve in the future.
• systemd is much slower than other inits (eg. dinit, s6, openrc)
• systemd being the go-to init encourages developers to more heavily depend on it, making it difficult for distros without systemd

The biggest feature I like about systemd is run0, though I wish it was a drop in replacement for sudo. Secondly, I do like that services can be sandboxed.

It started as a fork of the now defunct Mandriva Linux. Mageia isn’t a new Linux distro (in age). Otherwise it is just a normal Linux distro from what I can tell.

Valhiem

A browser is a while different beast. Firefox has half as many lines of code as the Linux kernel, just for comparison. Security must be topnotch since the that model is to treat the website as if it is already malicious. Even with all of Firefox’s developers, it lags behind Chromium in sandboxing/isolation and exploit mitigations.

• Most “Open source” LLMs are really just open weights, which is useless without the training data. This dilutes the definition of OSS. There is no way to train the model as a normal person (aka not Google or Meta, etc)
• LLM producers don’t credit the OSS they trained on, no attribution. Most models violate the licenses of all their training data (eg. GPL).
• LLM scraper bots put high stress on server infrastructure, creating a DDOS attack.

Alma is an LTS enterprise distro so gets pretty out of date after some time, and I don’t think it is significantly more bloated than Fedora because AlmaLinux is downstream of Fedora. Just uninstall the apps you don’t want on install. Even better is openSUSE Tumbleweed because the YaST installer allows for you to pick and choose every package (or group of packages) that makes it onto your final system.

What I usually do is sudo chown $USER -R /media/drive1

They specifically asked for a desktop operating system, so I recommended systems with a GUI. Proxmox comes with its own bloat, Arch would be far more minimal without the need for a bunch of dependencies.

If all you want is KVM, than any Linux distro + virt-manager will work perfect. My general recommendations for Linux distros are Fedora and openSUSE, because they are usually pretty up-to-date. Arch is also a good option, though not as stable. Choose KDE Plasma or GNOME when using GPU passthrough (because most guides will be made for either of these DEs).

I can’t tell if you are saying you literally mounted the drive at /media or that you mounted it at a subfolder, example: /media/drive1. The 2nd is the proper way of doing it.

Either way, glad I could help!