Honestly, I’m not familiar with the specifics. Can’t help you out further. Wish ya good luck!

I mean, like… To which Manjaro fuckup are they referring?

Obviously, I’m not the author. But if I’d have to guess, their answer would likely be “Yes.”.

Author’s disclaimer:

“Flatpak is NOT a distro, but that’s what Steam reports when it’s running on Flatpak, and Flatpak being distro independent we report it as a separate environment, if that makes sense. Feel free to ignore it if you wish.”

Didn’t know Flatpak was a distro though

Author’s disclaimer:

“Flatpak is NOT a distro, but that’s what Steam reports when it’s running on Flatpak, and Flatpak being distro independent we report it as a separate environment, if that makes sense. Feel free to ignore it if you wish.”

Thanks OP for the clarification!

Unfortunately, I don’t think can I really help ya out here. However, I do wonder: Would a solution involving the (so-called) unsafe browser of Tails satisfy you?

OP, could you please properly vocalize what you actually want/need?

If you don’t know how, consider at least to answer the following:

• Do you need it to be amnesiac? The very thing that defines Tails*.
• What’s wrong with Tor? Is your threat model so paranoid that you (somehow) don’t even trust Tor? Or, are you not in favor of its (relatively) low bandwidth? Or, is privacy and/or security not even a thing you seek after to begin with? Or, at least not beyond what your average distro provides already*.
• What do you intend to do with it? Daily drive it? If so, do you need persistence?
• What does “Tails without Tor reliance” provide/offer you beyond a LiveUSB from any other distro? Or, rather, what do you hope it will provide/offer you?

FWIW, I’m afraid we might be dealing with a classic XY problem. Hopefully I’m just mistaken…

Trivalent, i.e. “a hardened chromium for desktop Linux inspired by Vanadium”. Vanadium, for the uninitiated, is the browser found on GrapheneOS; the most secure and privacy-friendly/conscious OS for phones.

The only thing is that there’s not a lot of distro-specific guidance out there

I’m genuinely curious to hear what’s missing here.

Not OP. But, FWIW, I’ve been daily driving secureblue for over a year now. And it has been wonderful experience.

Note that, by virtue of its superior security model, preconceived knowledge may not translate well. However, if you read its documentation and FAQ, then I’m pretty confident that you should be fine. Thankfully, if something’s not clear or if you’re facing issues, then you’re in good hands through their Discord.

Going from Linux Mint to Qubes OS could be rough. You’re warned ;) .

secureblue absolutely does.

Qubes OS does too. But that’s becomes dom0 and most of the qubes you’d interact with are just Linux. But the qube can be based on BSD instead. Heck, you could have it based on Windows even. These qubes are VMs; so you can basically do whatever you want with them. The heavy use of virtualization is exactly what makes Qubes OS as secure as it is.

Not the one you asked, but please allow me give my take on the matter.

Do you know if you can still do everything with it? Like atomic already has its own limitations and quirks. I can imagine there are bigger limitations with this.

Being derived from Fedora Atomic, already comes with its own set of limitations; like being limited in which kernel mods you can make use of (without reinventing the wheel), or how UKI is unsupported or how you should probably create your own image if you want to populate /usr. You can’t even install software from any repository; e.g. installing the ProtonVPN RPM has been hit or miss for me.

And, on top of this, secureblue’s hardening does (strictly) limit this even further. Most impactful, so far, would be the inability to use sudo or anything like it. Instead, run0 is suggested. I’m 100% sure that run0 is better. However, I’ve had at least 1 occasion on which the software doesn’t know how to properly interact in this setting. Ultimately, I’d have to give the blame on the software that doesn’t properly support run0. And, perhaps, you could help address the issue by opening a bug report related to it. But it’s definitely something to keep in mind.

Finally, note on first setup you’re walked through the many different additional hardening that can be reverted based on your needs. Just be aware of that fact.

Like can you install driver-level stuff like tablet drivers

Maybe. Depends on what exactly it is.

GPU/CPU control

I have.

udev rules

Shouldn’t be a problem either.

etc… I guess I don’t really know the implications of the extra hardening.

If you’re interested, I suppose the best course of action would be to find a secondary device of yours and setup it to your heart’s content with secureblue. Whenever you face a roadblock, consider paying a visit to their discord server for support; they’ve been a great help so far. If, at some point, you find something you absolutely can’t do, then you’d have to make up your mind on what you deem more important. Wish ya the best of luck!

To add onto what N.E.P.T.R said, it is technically possible to make a custom amalgamation of Bazzite with secureblue’s hardening. However, it would be neither here or there. Some discussion of it can be found here. IIRC, it was ultimately deemed counter-intuitive as a gaming-distro inherently conflicts with a hardened one.

Finally, we shouldn’t disregard the technical part of this; it’s IIRC one of the reasons why the Bluefin-variants of secureblue were eventually disbanded. It frequently had a lot of interesting bugs that were simply not present on other secureblue-images. This isn’t on Bluefin either, as the non-hardened edition worked as you’d expect.

I believe your confusion comes from the following line: “secureblue does not claim to be the most secure option available on the desktop.”

Which is simply their acknowledgement that more secure options like Qubes OS exist. Note, however, that Qubes OS is not based on Linux, but instead on Xen.

If you don’t want to stray away from Debian, then I don’t think there’s anything better than PikaOS. It’s like Nobara but based on Debian instead.

It’s a relatively small distro, community-wise. But it has been around for some time, so I trust its longevity.

Other than that, as some other have mentioned, could be Pop!_OS.

If you’re willing to stray away from Debian, then a lot of other options become available. But I digress.

Bad advice, my apologies. But, I’ve had great success with LLMs to tackle such problems. Be cautious. However, if you’ve got no time to waste, then it might be your best option.

Depending on how you define immutable distros, you absolutely can.

For example with Fedora Atomic, which most peeps refer to when talking about immutable distros, you absolutely can do rm -rf /*. At best, it might require you to include the --dont-preserve-root flag (or something like that) to actually start the process. And, arguably, it ain’t as satisfying as doing it on say Arch due to the many error messages. But you’ll end up breaking your system.

Immutable distros aren’t indestructible by definition. Even a dumb user can break it without ill intent; I know cuz I have done so myself 😅. However, it does offer better protection. Furthermore, there are multiple issue trackers on GitHub that indicate that the developers want to iron out these things and perhaps convert them to features instead. Like, wouldn’t it make sense for an immutable distro to ‘factory-reset’ whenever rm -rf /* is invoked?

Could you edit your post to include system specs?

I was intending to, but it got very unwieldy real fast. I did provide some very basic pointers, but nothing earth-shattering. I suppose this is a decent read with the acknowledgement that the author has primarily read up on Fedora Atomic (and not the other 'immutable distros). Which ain’t bad for our use as Bazzite is derived from Fedora Atomic anyways.

what does immutable mean?

Strictly speaking, ‘immutable’ means unchanging. For Linux distros, this means that (at least some part of) the OS is read-only.

On any distro, you could invoke the chattr +i path/to/file_or_directory command to make a file or directory of your choosing immutable. Thus preventing you or anyone else from changing that until it’s revoked.

The so-called ‘immutable’ distros employ this at the OS-level. However, their implementations (and the implications thereof) may vary significantly amongst them, unless they share some ‘heritage’.

Going over the many different implementations and their implications is out of scope for what this comment intends. Especially as the ‘immutable Linux landscape’ is fast moving. Thus, potentially making it outdated the very next landscape-defining change.