Thanks for considering it! Looking forward to feedback from the community.
“When” is now! I’ve included this in Fedora Strategy 2028: Focus area review (Technology Innovation & Leadership).
As with the others, I’m setting a timer to close this topic in a month.
Here’s my personal thoughts on this… security and privacy are important, and this is an area where Fedora has led before (with SELinux, for example). And looking through the Privacy Guides post, I’m happy to see that we’re doing pretty well in a lot of the areas (and Fedora Workstation and Silverblue are (respectively) their top recommendations for traditional and immutable desktop Linux. I can see the strength in building on this.
On the other hand, increasing security generally comes with a user experience cost. See Should Fedora enforce drive encryption on new installs? for some strong opinions on the downside of default full-disk encryption, for example. Or Network Manager sending regular unencrypted requests? — we could disable that, but then “captive portal” detection wouldn’t work and it’d be hard to get wifi to work at airports and hotels. If we go too far in restrictions, we may push ourselves more into a niche than towards general use.
I’m also unsure we can live up to promises in this area — we generally try, but overall we don’t sharply restrict all of the software we include and in general a lot of it tends to be somewhat … open. I’m not sure how we’d square that with an intentional focus on privacy.
I think we definitely should do some of these things — better Flatpak sandboxing and more secure boot, for example. But I think maybe for the strongest protections we should work with e.g. Qubes downstream, so that people who have the strongest concerns have a good option there — and then we can bring in improvements that make sense.
Having a full disk encryption enforced like pop os or a userspace /home encryption will give a edge to the security and privacy obviously it have many concern but still encryption is always good.
I definitely see where your coming from in terms of balancing increased privacy and security with user experience and being open for users to be able to use Fedora without trouble. To answer the question of how far should we go, we should figure out the threat model that Fedora is trying to solve for. Put another way, what are the probably threats that Fedora should protect against?
If we understand the threat model that Fedora is trying to protect against, then we know what features and projects we should be handling for our distro and what areas are too advanced for us to be worried about. This helps us to define our limits for this objective and can get us closer to the specific language that we may want to use if we include this objective in Strategy 2028.
I also see your point about leaning on downstream projects to cover our bases. Firefox doesn’t have to worry about the most extreme threat models because the Tor Browser covers those. Likewise we benefit from Qubes OS being downstream from us and being one of the best OSes you can use for the highest threat models in the world.
My counterpoint to that is that the gulf between Fedora and Qubes is too wide. What market of users is Fedora trying to reach? Ideally, the average computer user could use Fedora. Who else is in that market? Windows, macOS, and chromeOS. It is also reasonable to assume that the threat models that those operating systems are protecting against should be the same as what we are trying to protect against. We’re shooting for the same users who have the same things to protect.
In the Linux world, as it stands in the opinion of influential privacy advocates, you can get awesome privacy at the cost of a less secure OS (in their opinion). If that’s not good enough you can jump to Edward Snowden levels of security and use Qubes OS - a Xen hypervisor that runs virtual machines for everything and the kitchen sink. The complexity, hardware requirements, and inconveniences that a user has to get to just to reach the next rung in Linux security are high.
In the face of that gap, what are the alternatives that are recommended? First recommendation is macOS because it’s secure, can be made private enough that security researchers trust it, and comes with tech support from a manufacturing giant. If that’s too expensive, get a chromebook, which can run as cheaply as $200 and cover any price range before matching that of a macbook. If you need app compatibility, some privacy advocates might even recommend hardening Windows before considering a jump to Linux on the grounds of better sandboxing, more use of Rust to avoid memory unsafe languages, or other reasons.
Suffice it to say that from a security and privacy perspective, many people would put Linux on the bottom of recommendations, Qubes on top, and macOS as the most accessibly next best alternative. The rest are left to fight among themselves with their pros and cons. I would like to see Fedora competing with macOS in that line up.
Now, there is a practical element to this. Microsoft, Apple, and Google are some of the biggest companies in the world. They have loads of money to pour into the security and privacy of their OSes however they see fit. We do not have the same resources and therefore should not be expected to implement on the same level. I’m probably speaking out of inexperience, but assuming that is true, that does not mean that we should not be trying to implement the same solutions - just that we should manage expectations on how long it will take to make that happen. Even then I wonder whether we can’t surprise ourselves by focusing on this more.
Last thing I’ll mention is the thing I conveniently left out when comparing Fedora to Qubes, and that is Silverblue. Arguably, our immutable variants answer many of the concerns privacy advocates have about Linux. It brings an unchanging core OS, with sandboxing that’s getting better, and with a more secure display server. It sounds like we’re already on our way to solving this problem. Therefore, my preference is to continue this progress by prioritizing security and privacy features rather than resting on our laurels.
Here is Privacy Guides’ article on threat modeling. It comes from the perspective of a user deciding what they need to protect and how far they need to go, but we can also apply this from the perspective of the tool.
Quoting from the article:
To identify what could happen to the things you value and determine from whom you need to protect them, you should answer these five questions:
- What do I want to protect?
- Who do I want to protect it from?
- How likely is it that I will need to protect it?
- How bad are the consequences if I fail?
- How much trouble am I willing to go through to try to prevent potential consequences?
Here’s my first shot at answering these questions. Maybe we can work together on the answers to these questions until we land on an answer that accurately reflects the state of Fedora today and the intentions of Fedora tomorrow.
It’s late now, but I didn’t want to hold up the rest of my thoughts with my threat model analysis, so here is half of what I want to say, lol
Edit: My take on the threat model is further along in this thread.
As a last point that could be where we compromise for those changes and adjustments that we feel are too cumbersome for Workstation, we could have a Lab specifically to give users Fedora with all the security tweaks out of the box. I know that we already have a Security Lab but I don’t know to what extent they already do this. It seems to me like that Lab is more focused on using Fedora for a security job like pentesting (like Kali Linux) rather than providing extra security configs for the user. If not this Lab, maybe another Lab could be made for this purpose and that’s how we cover our bases. Just an idea, but this is too practical for our current stage. Just mentioning it so that we feel that the objective is practical enough to consider adding to the five year plan.
(I work on Privacy Guides)
There is a big difference between a security feature being opt-in versus a security feature being missing entirely though. I will say full disk encryption not being enabled by default is a bit unfortunate, but I think that Microsoft and Apple only get away with it because they push people to use OneDrive and iCloud to backup all their files, so I can see why you couldn’t do that. Suggestions like disabling all unencrypted network requests make no sense really, and even in that case the first reply solved that with two lines of config
On the other hand, many of the missing security features in Linux are not “hidden behind a switch,” they’re missing entirely, either because nobody has tackled those issues yet or by design. To be honest… There are really 3 main things I personally want to see (and they’re the ones I see the most people agree with too), but they’re pretty big things:
- Better verified boot… doesn’t make a lot of sense with traditional Workstation really, but with image-based distros like Silverblue where “the system” is actually a well-defined concept it feels more important. I don’t know if progress is being made on the Has Silverblue achieved Verified Boot? - #3 by siosm front?
- Better Flatpak sandboxing: Also, I don’t think it actually matters how theoretically secure Flatpak can be if unsafe configurations are allowed by default. The issues mentioned on flatkill.org with
homeare still a thing as far as I’m aware. Users should — at minimum — be warned about something like this when launching these apps.
- Better permission management. This is kind of related to the last point, but the OS needs to be much more proactive on controlling access to sensitive resources. Android and iOS of course do this, and I think macOS is the current gold standard of this on the desktop. Prompting users when an app tries to access sensitive folders like the Desktop or Documents, and requiring explicit configuration changes to let an app obtain full storage access; and prompting users whenever protected resources are accessed are all things that macOS does very well, and I think Linux needs to take it more seriously.
I don’t really know who needs to work on this stuff, Fedora? GNOME? Flatpak? Linux?
I also don’t think user experience costs are a good reason to exclude any security feature entirely. More on that:
This Tor Browser example actually highlights the role I would like Fedora to have when it comes to downstream security distros. Tor Browser really benefits from Mozilla’s work on Firefox for nearly all of its browser-based privacy and security features, because patches like letterboxing, fingerprinting resistance, first-party isolation, etc. were pulled upstream into mainline Firefox, saving Tor developers a lot of hassle when it comes to maintaining their fork. In a perfect world, Fedora could have all of the security features a downstream distro might desire, simply locked behind opt-in preferences when those features would break other functionality.
…And if that is ever the case, then a security-focused Lab would be a great addition to Fedora. As you already noted the current “Security Lab” has this problem, but a Hardened Lab variant would be great. However it isn’t possible to do in Fedora’s current state because the security features we’re looking for aren’t a matter of tweaks you can make, otherwise we’d simply list those tweaks on Privacy Guides in the first place and call it a day like we do with Firefox.
There’s a lot of work to be done to get Fedora on par with macOS security, which is what I think the overall objective should be.
On a semi-related note… Every time I look at Fedora Silverblue I just end up wishing RedHat had invented snaps instead of Canonical, because containerized desktop and CLI packages with automatic, atomic updates is exactly what I wish Silverblue had, and would bridge the gap between it and Fedora IoT. I almost wish Podman would try and cover Flatpak’s use-cases on desktop, but I don’t think that will happen. With the state of how I see most people use Silverblue right now though (lots of unsandboxed Flatpaks and every single CLI tool inside toolbox), Silverblue kind of feels like the modern version of this classic xkcd.
Thanks for reading my ramblings… Thanks @joseph for letting me know about this thread.
I won’t argue that certain people in the so-called “privacy community” love to check every single box they can without contextualizing things, and have a very black-and-white view of privacy and security lol, but just to be clear I don’t think that hardening by default at the sake of everything else is anyone’s serious objective.
The OP states that “there’s a whole little world of people who go above and beyond their threat models to be as private or secure as they can be as individuals,” but IMHO the security concerns with Linux we mention (on Privacy Guides at least) are things that we believe actually impact real, everyday people. It isn’t “Edward Snowden-level” LARPing to want random apps sandboxed from all of my personal data. ↩︎
Thanks for chiming in with your thoughts! The specific priority examples help to narrow down what to focus on. They help to judge if this is something that Fedora can make a dent in.
For the objective and impact, I think we can start with this based on our thoughts:
Objective: Fedora Linux is as secure as macOS.
Impact: Fedora is recommended as the most secure and private OS for average end users.
The technologies that we can influence may be different, but if Fedora can use macOS as example for the kinds of security features we should implement, I think we’d be headed in the right direction. We’d be taking concrete steps that have been taken by another OS. At least it’s been done by someone else.
Now I’ll take a crack a Fedora’s threat model.
What do I want to protect? We want to protect anything that a user might do or store on their computer. That means protecting everything done in applications, everything done on the web in as far as a distro can help with that, and all of the files and user data stored on the device. This could even go as far as watching what happens with meta data, but at that point I’d be talking out of my depth.
Who do I want to protect it from? I think the best way I can divide this up is into three buckets based on Techlore’s video on threat modeling: people, companies, and governments. People represents scammers, hackers, script kiddies, and individual or small group attackers who are trying to gain access to systems. Companies are usually not interested unauthorized access to computers from a security angle, but they are interested in privacy invasive solutions that leverage their relationship with customers or potential customers to acquire data. Many times they are grabbing way more data than users realize (it’s a whole thing). Governments are literal state or state-sponsored attackers with resources that only other states can afford. They are interested in getting past security AND minimizing the privacy of their targets.
I think that the average user definitely wants a secure computer that keeps the hackers away. Next, if they knew how far companies go to take their data, they would probably want to stop that tracking if it was accessible for them to do so. Lastly, for governments, I think the average user counts that as a lost cause. However, Linux has a sizeable user base that does want their system to be as secure as possible even against governments. Not that I think we can do a whole lot that wouldn’t already be overlapping with the first two threats, but I think that governments should be marked as a nice-to-have wherever we can see a benefit in that area. I’m not sure how much we can realistically do about that.
How likely is it that I will need to protect it? For an individual user, I think a good chunk of that will be determined by how they think about their own digital security. For us as a distro, we have to assume that Fedora machines will be targeted frequently, and if it’s not us, it’s RHEL and RHEL based distros as well. I know that they aren’t doing all of the extra things you need for a personal computer, but I think it still bears consideration. I’m not sure how to measure or quantify this, though. Does Linux get targeted with malware? Yes. How much is enough of a threat to warrant more action on our part? I don’t know.
How bad are the consequences if I fail? Similarly to the previous question, the consequences are a compromised machine that a user may continue to use without knowing they have been compromised. More than just loosing access to an account, for which there may be alternatives or support lines, getting your computer hacked could mean getting everything else hacked. It’s a pretty bad game over. As mentioned before, a lot of this depends on the choices made by a user, but we should start them off on the best footing they can have from the OS perspective.
How much trouble am I willing to go through to try to prevent potential consequences? That’s the question, isn’t it? In the face of all the threats users may face, and how important it is to get right, how can we choose anything other than maximum security? Then you run into the conveniences that you lose with security at all costs. As many are fond of saying, the best way to be secure is to turn off the computer and never use it. But that’s not realistic. Every OS and distro does the balancing act whether they like it or not, so how do we decide how far to go?
Maybe this is a model we can start with:
- Identify the user experience expectations of the average user for a given use case.
- Anything that does not negatively impact the user experience expectation should be made as secure as possible. Things like implementing proper sandboxing with flatpak or ironing out bugs in Wayland fall in this category.
- If the security concern is part of the user experience expectation, we should facilitate the more secure option. That can take different forms. One way could be to provide a more secure option alongside the standard option (can’t think of an example). Another could be make the more secure option easier to do than the least secure one (like not allowing passwords below a certain limit). Yet another could be to reduce the barrier to entry for the security feature as much as possible. The last thing I can think of is to not affect the user experience at all, but at least provide a secure option for something as a way of educating people (like having some kind of backup application installed by default for folks to think about setting that up).
Does this help at all, lol? When I think about all this stuff, here are my three takeaways.
- We should make things more secure in all the places users won’t notice.
- We should make good security recommendations without being annoying.
- We should empower people who want to harden their operating systems to better match their threat models.
And this is the point where my brain starts running out of steam. Hope this can help to think of an objective if the first suggestion doesn’t work.
Better secure boot is on the way as far as i know with introduction of unified kernel approach we can actually have a better robust secureboot.
Brave New Trusted Boot World this approach lookinto the issues of verified boot and solves. A good article by Systemd lead developer Lennart Poettering
And now encryption is nice to have whether it is a full disk or /home with systemd-homed.
And now silverblue is i think already have everything secureboot to other fedora workstation stuff but just immutable.
Better permission management for flatpak apps which is already possible with flatseal.
Now it is on gnome to implement it into settings like what er recently see implemented in kde plasma 27
I already have a community post there addressing the same issue flatseal in gnome settings
And other flatpak related stuff need to be added by flatpak themself. Flathub already made a big move and now they have payment support so we can expect to have a apps from other providers so permission and other safety need to be defined in a better way.
I did run this thread by some collaborators as well and they didn’t have anything else to add.
This makes sense to me, but I think this will be a contentious topic as-worded. There are many areas where Fedora Linux might be considered more secure than macOS, and vice versa. I really want to see improvements in just a few fundamental design areas… consider:
Objective: Fedora Linux adopts modern OS security models.
Impact: Fedora is recommended as the most secure and private OS for desktop users.
“Modern OS security models” mainly referring to sandboxing, app permissions, system integrity validation, better SELinux policies for desktop (most desktop apps seem to be unconfined, so says
ps -Z anyways), and maybe some commitment to memory safe programming languages? And I am aware that many of these things are being worked on in one form or another, but I think that Fedora should commit to making them a first-class, default experience that all app developers are utilizing properly.
…maybe “Fedora Linux adopts mobile OS security models” is more clear, because Android/iOS sort of pioneered these technologies?
Then we can validate this objective against https://discussion.fedoraproject.org/t/fedora-strategy-2028-focus-area-review-guidelines/46888:
- If the Impact is achieved, it’s reasonable to expect an increase in active Fedora contributors.
- Success in the Objective logically results in the intended Impact.
- That link is reasonably sufficient — that is, it represents everything needed to have the Impact.
I think that this Objective addresses most if not all of the security concerns with desktop Linux that are commonly cited when evaluating OS choices, and so completing the Objective should remove any reasonable barriers to recommending Fedora from a privacy and security perspective.
- While there might be other ways to have similar Impact, the chosen Objective is the right one for Fedora right now.
This Objective represents a clear industry trend (outside of the Linux ecosystem) overall. macOS is often cited as a desktop OS which follows security best-practices as described above, Windows is investing a lot of work into similar technologies and Rust for Windows components, and these are already standard on iOS and Android.
I have a feeling that some of these security practices are seen as intrusive on user freedom among some people in the Linux community, but I think that is a misconception stemming from the fact that security features like these have been abused by proprietary platforms in the past to wall-in users. I have total faith that Fedora would be able to steer development towards these security models without infringing on freedom nor compromising on security.
- The wording is precise and clear. The Objective is concrete, and the Impact is (at least a little bit) inspirational. Together, they fit into this Focus Area.
I’ll leave this for you all to decide. I think that this Objective is aligned with Fedora’s Features and First foundations.
Flatseal is a step forward and I do want to see something like it integrated into GNOME. I think that Flatseal’s permissions aren’t super human-readable though, and IIRC Flatseal allows you to add additional permissions to an app which doesn’t really make sense, but maybe I’m misremembering.
I also want Fedora to be more opinionated about which permissions are considered important, and consult the user accordingly. Take Android for example, which categorizes app permissions into Install-time, Runtime, and Special Permissions.
Part of that does require developer buy-in. Before Google Play had better permission request guidelines for their apps, it was common for Android apps to spam you with requests for every single runtime permission they wanted the first time you opened them, which is not an ideal outcome.
This is the idea sauce, IMO. If we could have something like flatseal as part of the out of box capabilities of Gnome and KDE, that would go a long way.
@mattdm is there more to discuss for this post? Since it’s categorized as a proposal, I’m not sure if it’s been decided to adopt this into the five year plan or not. If not, it is what it is. I was just wondering if there was more to be done or unanswered questions that are keeping this proposal from being added to Strategy 2028.
I want to think about it more personally… I appreciate everything you’ve put into it.
But really the next step is to bring all of this back to the Council to evaluate and adjust.
I updated the topic title to reflect the updated proposal (and noted that in the post, as well as linking back to the focus area).
I think I may still be a little too cynical on this, but I’m still kind of seeing this as a good idea that we probably should emphasize but which won’t have much impact on the Guiding Star.
When I worked at Harvard I went to a series of security-oriented talks presented by the Center for Research on Computation and Society. These were usually very interesting (and there was a very high-quality catered lunch) and it was open to staff as well as students and faculty. One of these analyzed people’s statements about how much they cared about privacy vs. how much they were willing to sell that privacy for. I don’t remember all the details, but it was something like… 11 cents.
I’m also looking at the pervasiveness of Google Voice and Alexa and all of the rest… I know it’s pretty terrible but yet I bought Google’s latest smart speakers for our kitchen, because they sound good and are relatively cheap (that’s my privacy going for 11¢, I know) and streaming just works.
I think we can do something pretty great for the world by making open source solutions both on the desktop and for IoT that do provide decent privacy. But I don’t think anyone is going to beat a path to our door for it — that is (back to the cynicism) I don’t think that being recommended as the most secure and private OS for average end users will lead to a large number of people following that recommendation.
Maybe I’m wrong, though! Fedora’s security team has largely been focused around making sure we get our CVEs covered, not a lot of proactive work. (You can see from the mailing lists… not much visible activity, no real initiatives.) Maybe something like this would bring people in to contribute and build something. That would have value (and help the Guiding Star) even if the potential userbase largely shrugs.
ooh, name dropping! sorry! ↩︎
What exactly does Flatseal do and why would I want to install it?
I can’t say I consider this an important issue. I don’t have high regard for security professionals. Some do really important work but they tend to see everything as a critical security bug. I had one contact me recently about my web site. I told them if the critical security bug is remote execution or sql injection, I’m interested. If it is a cross site scripting bug, they should move on. It was the later.
I looked at Madaidans article. It has some points but overall reads to me like the typical scaremongering. Let’s take his comment about home filesystem access on Flatpak. The solution already exists with the portals I believe. It would effective be like the app solution for MacOS. It just not implemented everywhere yet.
I started writing more rebuttals but I don’t think there is high value in that. Suffice it to say I disagree with his assessment. I don’t have good ideas on how to counteract the security professionals.
I think improving our security posture and protecting against more things is a good and noble goal.
That said, just to add 2 related points:
Security isn’t a checkbox. You can’t say “X is secure” and be taken seriously. Security is a process. You identify threats and try and mitigate the ones that are high value and/or easy to do. It needs to be something that you always do as new threats and new mitigations come along all the time.
“as secure as macos” makes no sense to me. We can’t fully do exactly everything macos does as they control their hardware. So, if they have say a bunch of code using their “secure enclave” how do we match that on commodity pc hardware that has no such thing? Also, the trade offs they are willing to do are things we probibly would not choose to do. Like say for example: we could require all binaries that run on Fedora systems to be signed by our IMA keys. That would match macos requiring code signing / notorization. But our users I don’t think would want us controlling what they run on their OS.
So, for a goal here perhaps we should try and have a active security team that identifies/models threats and mitigations and shepards security related changes through out change process. But thats also vuage I guess, and we don’t have a very active security SIG.
Anyhow, I really like the idea of improving our security posture, but am not sure how to work this into a doable proposal here.
Do I think that users will come in droves due to increased security? No. I think it’s more likely that there are users that are staying away from Linux because they hear that it’s not as secure as Windows and macOS. Even so, I think that the number of people who would consider Linux if the stigma of it being insecure was gone is still low. Or at least low enough to where I can see why we wouldn’t feel the need to include this in the five year plan.
I guess if this isn’t making it into the plan, it would be nice for this to develop into something else. Maybe like an independent initiative or something within Fedora. You mentioned the Security Team not being active outside of covering CVEs, so maybe there’s where this can live on?
Kevin, to your point, maybe a reworked or active Security Team could help to tackle the nuanced approaches that you need from threat modeling through securing individual process and environments?
While Matthew changed the proposal to “be as secure as macOS”, I prefer @jonah’s version, which is:
Maybe a hypothetical reinvigorated team could look at the specific points he brought up as priorities:
My hope with suggesting this security focus was to elevate the importance of security and privacy even more in the project and make sure we make progress in those areas over the next five years (not that we aren’t already watching this space OR leading in security among distros). But if this takes another form, that’s not so bad either.
I personally would love if Fedora adopted more modern security models. Would be easier for me to recommend it over Windows or MacOS if the project adopted many of the security features seen in both of the proprietary operating systems.