(Just tagged any group that seemed applicable, feel free to change)
Introduction
Security is a complicated, complex and ever changing topic.
It involves tons of mechanisms like restricted access controls, package testing, secure build environments, vulnerability reaction speed, implementation of secure new technoligies, … (and I recently learned also package maintenance 
)
It is also a balance between “being unusable, so people turn it off” and “being too weak”. @dwalsh 
Context
Fedora has it’s principles
- Freedom
- Friends
- Features
- First
Keeping those 4, you can argue that it is not only Freedom or First, but this always involves checks, adaptions and changes to guarantee it’s security.
For example, staying close to upstream, but adding kernel hardening, Firefox hardening etc.
Current state
Apart from the image we may have (“of course is Fedora a secure distro”), what do external people really think to k?
Search results
When searching for “Fedora Linux Security” I find:
- The Security Lab (Which is for pentesting and analysis, not a “most secure Fedora Workstation”. The name is okay, but leads to this issue.)
- Wiki: Security features overview (in some subchapter on DuckDuckGo, last edit 2022, but very useful)
- That links to Security Basics which is a draft, and last edited 2016
- That also links to SELinux wiki, the latest Fedora version with documentation linked is F22
- Somewhere hidden in the docs, I find it hard to find: SELinux starting guide by @pboy
- “do your updates” (nice and easy, but applies to all distros)
- A random Discourse post
- xz vulnerability
- Fido2 guide
- The “Fedora Security Matrix” which stops at F34 and RHEL8
- awesome Fedora security by @34N0 (a list of mostly third party components, scripts and projects
So, there is a lot of really great documentation out there, but it is all over the place, sometimes outdated, etc. This is the rough order I found it, even though some things should be listed further up.
“Distro comparisons”
When searching for “Ubuntu vs. Fedora”, some dont mention Security. This strange site mentions Canonicals “security updates” multiple times. This one is way better, noting how unhardened Ubuntus defaults are, but using the word “paranoid”.
This one is a bit unspecific, but has a point.
Despite its focus on new technology, Fedora is also known for its stability and security. It is designed to be a reliable and secure platform for developers, system administrators, and enthusiasts.
[…]
[…] making it easy to keep the operating system up to date with the latest features and security patches.
[…]
Ubuntu’s popularity makes it a common target for cyberattacks, while Fedora’s smaller user base may make it less attractive to hackers.
Many more dont mention security at all.
Suggestion
I think it would be great to
- integrate the documentation of at least big, architectural security implementations in Fedora into the workflows
- put this somewhere visible. People need to be easily able to say “Fedora is a fresh, friendly and secure Distro. Security does not need to be obscure or unusable.”. This could be in Fedora Magazine, Fedora Wiki or the website.
- strengthen the image of Fedora as a security-oriented Distribution for up-to-date, (but not yet stable) enterprise grade software.
This is not specifically about “Fedora/ Fedora Flatpaks/ Fedora Containers vs. X”. Keeping track of “the competition” is out of scope. But documenting the specific traits of this project can help building such a conclusion.
I also imagine that keeping documentation up to date is a big task. But the things I found are already great!
- update them
- put them somewhere visible (maybe a fedora magazine post, linking to these pages)
This is just a brainstorm post, what do you think about this?
