I first used Linux about 5 years ago (Ubuntu). Since then, I have tried quite a few distros:

Kali Linux (Use as a secondary)

Linux Mint (Used for a while)

Arch Linux (Could not install)

Tails (Use this often)

Qubes OS (Tried it twice, not ready yet)

Fedora (Current main)

For me, it has been incredibly difficult to find a properly privacy oriented Linux distro that also has ease of use. I really enjoy the GNOME desktop environment, and I am most familiar with Debian. My issue with Fedora is the lack of proper sandboxing, and it seems as though Qubes is the only one that really takes care in sandboxing apps.

Apologies if this is the wrong community for this question, I would be happy to move this post somewhere else. I’ve been anonymously viewing this community after the Rexodus, but this is my first time actually creating a post. Thank you!

UPDATE:

Thank you all so much for your feedback! The top recommended distro by far was SecureBlue, an atomic distro, so I will be trying that one. If that doesn’t work, I may try other atomic distros such as Fedora Atomic or Fedora Silverblue (I may have made an error in my understanding of those two, please correct my if I did!). EndeavourOS was also highly recommended, so if I’m not a fan of atomic distros I will be using that. To @leraje@lemmy.blahaj.zone, your suggestion for Linux Mint Debian Edition with GNOME sounds like a dream, so I may use it as a secondary for my laptop. Thank you all again for your help and support, and I hope this helps someone else too!

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      8 months ago

      That is a very useful tool I overlooked! Thank you!

      How does Arch Linux fair as far as privacy and security? It’s private in that it is minimalistic, but that may also mean it lacks in preinstalled security features.

      • GravitySpoiled@lemmy.ml
        link
        fedilink
        English
        arrow-up
        18
        arrow-down
        3
        ·
        8 months ago

        I recommend endeavouros as an intro to arch. It is arch with an installer and sane defaults.

        Yet if you are looking for a set it and forget it install arch isn’t for you. Arch is for the tinkerer, for the advanced, for the person who spends a lot of time with the computer and wants to read about everything.

        • Telodzrum@lemmy.world
          link
          fedilink
          arrow-up
          10
          arrow-down
          1
          ·
          8 months ago

          This was Arch a decade ago, it’s just not the case anymore. It’s a stable distro that doesn’t require much tinkering and doesn’t break on its own. It’s right next to Fedora, openSUSE, Ubuntu and everyone wise who is stable, but not Debian stable.

          • GravitySpoiled@lemmy.ml
            link
            fedilink
            English
            arrow-up
            7
            arrow-down
            1
            ·
            edit-2
            8 months ago

            I haven’t said that it’s unstable.

            Fedora enables selinux by default. On arch you have to read about what it is, what the alternative is and most importantly you have to keep up to date because otherwise you don’t know about recent advances in the space.

            That is where fedora is excelling at. They implement the newest proven shit with good defaults and you as a user don’t even have to know that it’s there.

            I have also not said that you have to tinker, but that if you like to tinker, then the distro is for you. An atomic distro isn’t a good fit for a tinkerer right now. On arch you can read the differences in the packages. It’s designed to be mode difficult in the first place.

  • Pantherina@feddit.de
    link
    fedilink
    arrow-up
    14
    arrow-down
    1
    ·
    edit-2
    8 months ago

    Look at this

    Fedora is fine, you may want to use secureblue or just plain Fedora Atomic/ ublue as Base.

    But generally using as many flatpaks as possible and least system packages, and managing filesystem permissions like the guy on Fedora Discuss, this should totally fit your needs.

    QubesOS is cool but it tries to solve the problem of insecure software through extreme compartimentalization which is hard to use and extreme on the hardware.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      Oddly enough, at the time only having installed a few Linux distros in my life, Qubes OS was very easy to install and ran just fine on my medium-grade hardware. Lots of people mention having problems with it, but I got really lucky it seems. Thanks for your suggestion!

      • Pantherina@feddit.de
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        8 months ago

        I would call it a variant, as its 99% fedora with some different packages (hardened malloc, pam authramp, etc.) and continuously deployed changes.

  • PeachMan@lemmy.world
    link
    fedilink
    arrow-up
    12
    arrow-down
    1
    ·
    8 months ago

    What features do you specifically want? You mentioned sandboxing. Anything else?

    I’d say just keep it simple. If you’re comfortable with Debian then stick with that, study up and learn how to harden it. Kali, ParrotOS, Mint, Ubuntu…they’re all just based on Debian with different preinstalled apps and desktop environments. Fedora and Arch are kinda weird and unique, I’m not sure if I’d recommend those for anyone, unless you KNOW that’s what you need. Qubes seems interesting, I’m not familiar with that.

    But I’ll point out that ALL of these distros are miles ahead of Windows in terms of privacy. So just by using Mint for a while, you were already ahead of the curve.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      8 months ago

      I could make a list of all the things I would want in a distro as far as privacy, but a lot of them aren’t as important as sandboxing and (obviously) a system that doesn’t actively make your privacy life hell. Other features would be better clipboard management (Tails and Qubes do a great job with that), no obvious gaps in security/privacy, a system that you don’t have to build yourself, etc.

      I think I’ve used Fedora more than I have Mint, but I have been completely Windows free for years now!

  • om1k@sopuli.xyz
    link
    fedilink
    arrow-up
    9
    arrow-down
    1
    ·
    8 months ago

    From what I understand, wayland is better than x11 for privacy bc of the use of portals (the way apps communicate with the system), and flatpak over distro packages for sandboxing (you can also change the permissions yourself with flatseal).

    • Rustmilian@lemmy.world
      link
      fedilink
      English
      arrow-up
      6
      arrow-down
      1
      ·
      edit-2
      8 months ago

      Wayland is more secure/private because it isolates windows/applications from each other preventing things like keyloggers.
      Portals is a permission based way to allow those applications to interact with each other.

  • xorsch@lemmy.ml
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    8 months ago

    If you would experimentate can try Alpine linux is a security-oriented, lightweight Linux distribution based on musl libc and busybox.

    At least that says about itself.

    However, I have never installed it

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago

      I believe I may have live booted it once (when I needed to perform an action that live booting with Ubuntu couldn’t do), and I really enjoyed the look and feel of it for the short time I used it.

      Or it was a different one, but let’s just assume it was Alpine ;)

    • leanleft@lemmy.ml
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      not as much of a security distro as u would assume. but its the closest thing in linux.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      8 months ago

      No telemetry and good sandboxing by default are the main two things I am looking for in terms of privacy. As GravitySpoiled has mentioned, Arch isn’t an “install and forget about it” distro, which is another thing I would look for if it were to be my main OS. If you have any suggestions based on that, please let me know!

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      edit-2
      8 months ago

      It’s been on my to-do list for a while to try. Thank you!

      Edit: I think it may be applicable to mention that I have reinstalled Kali 3 times. The first time it broke after an update. The second time is when I learned what a desktop environment was. The third time was when I discovered why seperating /home, /etc, and so on into different partitions is bad if you don’t know what you’re doing. The installer for the third time was repeatedly broken (apps wouldn’t open!), but the netinstaller resolved the issue.

      • Rustmilian@lemmy.world
        link
        fedilink
        English
        arrow-up
        6
        arrow-down
        1
        ·
        edit-2
        8 months ago

        I discovered why seperating /home, /etc, and so on into different partitions is bad if you don’t know what you’re doing.

        You should really only be separating /home from / , there’s not much benefit to separating anything else onto a separate partition.
        You separate /home onto a separate partition to protect your user data in cases of the system crapping out on you, or if you’re to migrate to a different distro.

  • GravitySpoiled@lemmy.ml
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    8 months ago

    What proper sandboying in fedora are you missing? Fedora is very advanced in that regard compared to most other distros.

    Traditional Fedora and especially atomic distros are very good for this, see other comments as well recommending ublue.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      arrow-down
      1
      ·
      8 months ago

      I had installed an app (flatpak) that required the use of my microphone. I knew I had disabled microphone permissions globally in settings, so I went into settings and turned microphone access on. The app successfully used my microphone, but the issue is it doesn’t show up as an app that requested microphone permissions in settings. Further reading showed that sandboxed apps are forced to request microphone access, but unsandboxed apps can freely use the microphone. This led me to believe that the flatpaks I had been installing were not sandboxed. I could be wrong, so some insight would be much appreciated!

        • loganb@lemmy.world
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          8 months ago

          To add on to this, if you are using flatpak apps and want granular permission control, check out flatseal. Fedora (IMO) has one of the best flatpak integrations out of the box. Other “sandboxing” or containerized app deployments are snaps (made by Canonical), and appimage (I’m not entirely sure this qualifies as an app container).

          From my experience, flatpaks is currently leading in adoption when compared to the other two.

            • loganb@lemmy.world
              link
              fedilink
              arrow-up
              0
              arrow-down
              1
              ·
              8 months ago

              Thanks! Flatpak-KCM is perfect as I’m thinking I’ll move to fedora KDE in a couple days when f40 drops. I’m hoping that the Wayland experience on NVIDIA GPUs will be smoother there than on GNOME.

          • The 8232 Project@lemmy.mlOP
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            8 months ago

            There is something almost identical in the settings app, is it different from that? Also, is there a way I can check which apps are/aren’t sandboxed? Thank you!

              • The 8232 Project@lemmy.mlOP
                link
                fedilink
                arrow-up
                3
                arrow-down
                1
                ·
                8 months ago

                I looked into flatseal, and I am incredibly happy with it, it instantly made me feel much better about my digital hygiene. As for GNOME flatpak settings, there are some toggles, but only minimal (notifications, background, etc.)

                @loganb@lemmy.world, that has to be one of the most helpful suggestions for an app I’ve received since I first used Linux. Truly, thank you!

                • Rustmilian@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  edit-2
                  8 months ago

                  Gnome really needs to start getting on this stuff; I’ve been disappointed in the way Gnome handles implementing new things and their tendency of going the “#QuirkyGirl” route instead of getting the shit implemented in a cross-distro way like everyone else.
                  For example the XDG-Desktop-Portal accent color protocol where Gnome devs were actively against it and required a lot of push back from the community.

    • The 8232 Project@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      8 months ago

      (From the repo):

      "The following are not in scope for this project:

      Anything related to increasing "privacy", especially when at odds with improving security"
      

      It’s a bit of a vague claim, since privacy encompasses many things (e.g. encryption could be considered a privacy tool). I may look into it though!

      • Rustmilian@lemmy.world
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        1
        ·
        edit-2
        8 months ago

        As far as privacy goes, it’s nothing you can’t change up later, they just don’t focus specifically on privacy, that’s why they use chromium instead of a privacy oriented Chromium/FireFox fork or something like Tor. It’s already quiet private as is; more so than most distros; just not so much as privacy specialized tools like TailsOS.
        But for security it implements some things that are pretty difficult and time consuming to do yourself.
        It’s a really good base to start with, and only take a few small steps to lock down the privacy aspect.
        It’s a really good option if you’re not ready for a QubesOS workflow, and still want the most security you can out of a somewhat* traditional workflow.

          • Rustmilian@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            edit-2
            8 months ago

            Maybe a bit more compared to other distros, but the whole VM “profiles” workflow is essentially solely unique to QubesOS. I’d recommend learning a bit more about KVMs and Reading up on the QubesOS docs.

            • The 8232 Project@lemmy.mlOP
              link
              fedilink
              arrow-up
              3
              arrow-down
              1
              ·
              8 months ago

              If Tails wasn’t amnesiac and implemented strong sandboxing, it would be perfect for me. Whonix has been (very, VERY) slowly developing their own independent ISO, which I will be quick to try when (after an eternity) it releases to the public.

  • Kory@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    2
    ·
    8 months ago

    Yay for the first post!

    I cannot comment on the topic but I’m wondering if you would get more insights from the folks in the !linux@lemmy.ml community. Maybe wanna crosspost?