"Linux is way less secure than Mac" - true or false? (Get your popcorn ready :D)

That is the name of the repo and the amount of metadata pulled in. The google-chrome repo may have been activated by default or as part of “third-party repos”, but that does not mean that chrome is installed automatically.

Refreshing metadata does contact google servers, though, and if you want to avoid that you can disable the repo. (Not saying you should, it’s everyone’s own decision.)

I see, thanks.
I’d be grateful for guidance on disabling that repo please

I apologize for the bad wording

2 Likes

Some things:

Security people often say something does not need to be FOSS to allow Pentesting and Security Analyses.

Looking at the code is an Audit, which is also important but mostly not done even in FOSS. People just expect that this is the case, but I imagine Audits are annoying, people have limited time, and attackers may have more motivations to look at the Code.

Bug Bounty Programs are important here. If an OS has it, it will probably have less Bugs.


We are also mixing privacy and security here. Using any big social media platform on Google Chrome without a VPN registering with your full name is not a security issue (as long as you use a strong and unique password).

It is a huge privacy leak, but not insecure.


To the state of Linux today, I agree that it got way better. But Linux is very customizable, best example here is that

  • ~/.bashrc
  • ~/.local/share/applications/
  • ~/.local/bin

are all writable by the user and (at least the applications) are preferred over the system presets.

Linux has freedom baked in. Freedom to run Code from anywhere, to modify and alias literally any command, and to install and configure a lot.

You can totally break your Desktop, overwrite firefox.desktop with a an Entry loading a Firefox Clone stealing your Passwords (yes, also on Wayland) or modify the sudo command to catch the passwords.

We like that, but systems need to become usable without these huge holes in the security boundaries.


And yes, thats the Google Chrome repo, you can just remove it from /etc/yum.repos.d/

Isn’t this kind of attack situation very hard to achieve (unless user runs voluntarily malware)?

1 Like

The topic of security on any OS is not black or white - it’s a completely grey area that’s always changing, and dependent on software and configuration. In general, it wouldn’t be incorrect to say that Windows, Linux, and macOS have the same overall level of security today… with OpenBSD users sitting in the corner smiling securely at everyone else :wink:

Sorry, missed this among the other posts.

sudo dnf config-manager --disable google-chrome
1 Like

Whilst on the topic of security, I noticed something earlier and thought I’d ask…

I use ethernet rather than wifi (almost exclusively, for stability and speed as much as anything else). I closed the lid on my Yoga laptop yesterday but left the USBC-Ethernet dongle and ethernet connected. When i came to office this morning the flashing data light caught my eye. I kind of assumed there would be no internet trafffic when the machine is in “suspend” (which I assume it is when closed, opening it suggests that’s the case too).

Is there traffic going on when in suspend in Fedora normally?

As yet another IT professional with an alphabet soup of security certifications, and as a grad student with a focus on security and privacy, this is my position too.

20 years ago was the “wild west” where everything was insecure by default. Everything was unauthenticated and in plain text or protected with weak protocols (e.g. WEP, early SSL) using weak primitives (e.g. MD5, RC4). Major operating systems and applications had known vulnerabilities with exploits (that even “script kiddies” could use) proliferating in the wild, and there was no method of automatic updates even when OS and application developers had updates to close those vulnerabilities. The primary method of getting new software was manually downloading an executable (over unencrypted HTTP or FTP) from a website that a user judged to be trustworthy.

I think that what Apple figured out first was that it helped to limit freedom by restricting what users could install or configure and by forcing automatic updates on them. The median user doesn’t know the difference between the Internet and Facebook or Google and their local host OS / applications. They will never seek out and voluntarily install software updates. What’s worse is that some think they know stuff and will do things to their system that are catastrophic if they have the opportunity.

Apple’s approach turned out to be much better for the median user. Microsoft and Google have moved in the same direction with Windows, Android, and ChromeOS with curated application repositories, but even today I think the macOS and iOS user base is much less fractured. There are still a shocking number of systems out there running Windows 7 and even XP. It’s even worse in the Android world because most device makers have only supported something like 24 months of security updates. This is, I believe, where Apple has gained its good reputation for security.

In the year 2024, all of the major desktop operating systems (and, importantly, web browsers) have large teams of smart people looking at and working on this. They all support the latest standards for things like authentication and encryption. Discoveries of gaping security holes are comparatively rare, and updates are pushed out to most users promptly by default.

In the world of rifle marksmanship, people talk about a rifle being able to shoot better than the person shooting it, i.e. the variance of the impact points relative to the actual aim point is tighter than the degree to which the person can hold the aim point steady. I think that same notion applies to modern computing systems. By far, your biggest risk is getting fooled by social engineering and / or going out of your way to bypass good, default security mechanisms. If you’re targeted by someone with sufficient motivation, I think that’s how they’ll get you; it won’t be because you’re using Fedora instead of macOS.

2 Likes

Those activity indicators don’t necessarily mean that any data is being passed beyond the network device itself and into or out of the OS. However, depending on the suspend state that your OS is configured to use and the capabilities of your network device, it (the device) may be listening for a magic packet to support Wake-on-LAN.

Thanks. It has the constant green (I think meaning cable plugged in) and the yellow flashes during data transfer. Never thought of modern stuff like wake on lan, I also never thought it could just be talking to the router rather than the ‘outside world’. Just concerned me a little as I like my devices to do nothing when I am not using them

or just sudo rm /etc/yum.repos.d/google-chrome.repo

This is not a conversation we should be having in 2024. Security is up to the user, not to the OS.

:smiley: I guess it’s time we finally remove SELinux from Fedora and RedHat. So annoying! Let the users get it themselves.

2 Likes

Agree. The greatest security vulnerability for any OS is the user. Be careful where you point your web browser. Don’t click on suspicious looking links.

1 Like

Absolutely, it still be there and anyone interested could just install it and configure it. Now if you talk about remove the package from repositories, then just move to another solution. Let’s stop thinking that users are unintelligent

A web browser should be able to open whatever website appears on the internet, without getting a buffer overflow and causing code exexution on the host OS.

Look into hardened_malloc and Bubblejail! Fedora Firefox should now work with hardened_malloc too, and bubblejail kinda works.

If there is anyone knowing zypak well, I would be very curious on your knowledge. It replaces the Chromium user namespace sandbox for tab isolation.

There is nothing like that on Firefox afaik.

The reason mozilla went to rust is to make this C work around not a required stop gap.

I didnt quite understand your scentence.

Also, it is really cool that Mozilla does a lot with Rust, but what does this have to do with jemalloc?

Jemalloc is written in C entirely and is assumed to be less secure (dont quote me on that) than hardened_malloc, which is also not written in a memory safe language though, as it comes from OpenBSD.

Rust eliminates most C memory problems without the need for special malloc implementations. That is what I am trying to say.

1 Like