How good secureblue really is

i was look into this project how good secureblue project is.
is it really good alternative to fedora atomic

I think it’s a matter of personal preference. If you find yourself making similar customizations to a Fedora Atomic Desktop installation, it would probably be easier to use secureblue instead.

there are some stuff like hardened malloc which is good for security

• DNSSEC and DNS over TLS for systemd-resolved - very good.

• Use HTTPS for all RPM mirrors - very good.

• Network Time Security (NTS) - very good.

• iVPN, Mullvad VPN, Proton VPN repositories - very good.

• sysctl Security - very good.

• USBGuard - pretty good.
  You can protect USB access also per UEFI Bios (some mainboards offer this).

• Chromium-based or Firefox-based browser - not good. With a www browser there is no longer any security. But you can believe in it.

Fedora OS 1 www = this OS goes online; no private data. www browser? Yes
Fedora OS 2 Offline = this OS is forever offline, all your private files are here.
www browser? No

Reminder: You have all the rights to protect your data, so do it. Give up! As soon as OS networking is possible, it is vulnerable. And everyone wants your data: companies, government, enemies, mommy, criminals …

And STOP! Stop trying to solve EVERYTHING with a single Fedora installation. You need minimum two Fedora OS (on two laptops or two VMs or two NVMe SSD).

• Blacklist numerous unused kernel modules - not good. Only whitelists are real security.
• Protect against brute force by locking user accounts for 24 hours after 50 failed login attempts - this could be used against yourself.
• Disable and mask a variety of systemd services by default - this can make your Linux OS dysfunctional.
• Disable GNOME user extensions - destroys so much fun.

???

• No Syd (Real Security)

• No fapolicyd (Real Security)

Are you using a Linux system for security without fapolicyd? Forget it. That won’t work.

• No pure nftables (Real Security)
  Fedora users eventually don’t need a front-end.

• No native RPM packages.

Avoid AppImages, Snap, Flatpak if security has a high priority in your life.

This is a pretty good list. Let’s “upvote” it.

Oh! Thank you!

Syd + fapolicyd + SELinux + nftables + Secure Boot

And I give you a guarantee that your operating system is secure or rather, now it really starts that your system becomes secure.

Most think bubblewrap is top class - no it is Syd.

Syd as in nspawn? I would suggest firejail as a great per-app sandboxing tool.

Are there any examples of desktop applications being sandboxed with Syd?