Would the security benefits alone justify using Silverblue as a desktop OS?

I’m planning on switching from Windows to Linux and I’m primarily interested in Fedora. However, I’m not sure if I should use Silverblue or the default Fedora Workstation. For some context, this isn’t the first time I’ve used desktop Linux, but I’m still pretty much a “Linux noob” and I’ve primarily only ever done things in the GUI. One concern I had with switching to Linux was security. Given that security for desktop Linux seems to be lacking, I’m looking to get any edge in regards to security so long as it doesn’t have a major negative impact on usability. (Hence why I’m not bothering with more advanced setups/distributions)

I’ve heard that Fedora Silverblue is more secure than the default/traditional Fedora Workstation as you cannot write to the entire system. If that’s the case, then I’m curious as to how much of an improvement to security Silverblue would be compared to Workstation as well as what sort of impact to usability I should expect. From the reviews I’ve seen, everyone seems to agree that Silverblue should be a fine option for noobs who are used to using the GUI as most of the “usability issues” with immutable distributions are mainly problems for intermediate or advanced users who are used to doing things a certain way.

As for applications, I’d probably be able to use most of my applications as Flatpaks, however, one notable exception might be browsers as it seems the Flatpak versions weaken their sandbox. I’m not too sure how difficult it would be to “layer” browsers like Brave or Firefox onto my system or if that would introduce problems down the line if I wanted to add extensions, use different profiles, etc. I’d also be interested in doing some gaming and considering gaming on Linux is sometimes not the easiest experience, I’m not sure if Silverblue would add to the complexity of getting games to work.

Given all that information and context, I’m hoping someone could give me some advice on whether they think Silverblue is right for me or if I should stick to the traditional Workstation. Thanks in advance!

Hello @aviator01 ,
Fedora was an early adopter of SELinux which provides some very real security features for the benefit of access (think ACL’s). Silverblue is an image which is based on the Fedora Workstation and uses the same base, except package management is through rpm-ostree instead of dnf, and the root filesystem access is read only, except /etc and /var and /home. Both variants can be installed and bootup system with your bios set in secure boot mode, even with LUKS encryption in use. Flatpaks are the primary delivery method of applications for the desktop in Silverblue, but you can layer packages onto your base image and the changes track throughout upgrade cycles. The real benefit of Silverblue and the like is when you update and something breaks, then rolling back to a working system is a command and reboot away.


It would be good if you could share your threat model/vector(s) when raising your concerns. As @jakfrost mentioned, SELinux, plus proper security hygiene (passphrases instead of passwords, encrypted storage, VPN use in public networks, always avoiding non-essential cookies when browsing, etc) with the software from distro’s repos or other reputable source, e.g., Flathub are Good Enough™ security measures for “average/normal user” cases. Silverblue adds one more layer, but there is no 100% safe systems, as every application or library adds more" attack surface". So another advice - keep only those apps installed which you need, there is no need of having 6 text editors installed permanently :wink: .
Having everything or almost everything I mentioned above will make you way safer that using Windows.

P.S.: Silverblue will add some aspects, e.g., flatpak apps VS base image layering, you have to take that into account. Fedora Workstation gives you more freedom/convenience regarding app installation, but otherwise it is about the same as Silverblue. I choose Silverblue more for laptops and Workstation for desktop PCs.

What @jakfrost said really, security is better relative to regular Workstation but the real pros are a system you cannot break, and the ability to quickly rebase to other OCI-based distros. Currently this is mostly officially limited to Silverblue, Kionite & Sericea; there are plenty of off-shoots like UBlue and users like myself that maintain their own images.

By pinning your current “deployment” (basically the most recent package transaction) you can trivially jump around to any other distro. Don’t like it? Reboot into your last image.

Just to make sure I’m understanding you correctly, are you saying that the security benefits with Silverblue are relatively minor and therefore shouldn’t be considered a big factor when choosing between Silverblue and Workstation?

I feel I should reiterate the purpose of this post so that I’m more clear. I’m aware that Silverblue provides better stability than Workstation, I’m just particularly curious as to whether Silverblue provides substantial security improvements over Workstation to justify using it, despite any potential limitations I might run into. I also mentioned some use cases (layering browsers, gaming, etc.) just in case someone could identify if Silverblue would provide me with worse usability than Workstation.

If you’re installing an untrustworthy RPM you’d be just as doomed on Silverblue as you would be on Workstation, so maybe the question is more on how comfortable you are administrating your system?

I only anticipate avoiding Flatpaks for browsers (such as Brave, Firefox, Mullvad Browser, Tor Browser, Chromium, etc.) though I’m not sure how practical that is.

so maybe the question is more on how comfortable you are administrating your system?

I don’t mind putting some work in or learning a few new things, but if it takes up a lot of time I think I’d just be better off with Workstation.

I have used Workstation for many years and with a modicum of personal caution in the areas noted above (browsing habits, software selections, etc) have never encountered any security problems.

To me the real benefit of any of the ‘immutable’ releases is the ease of recovery by rolling back to the last stable version. The disadvantage is that many apps can only be installed as flatpaks and the user may be restricted (or exposed) by that flatpak itself as to what security issues may pop up.

It does require different management tactics with rpm-ostree versus dnf and plain rpm files.

Yeah you’d be using the same RPMs for those browsers on both silverblue and workstation so likely the same risks on either one.

The same could be said of macOS or Windows. Security is the responsibility of the user, not the operating system. Don’t click on suspicious links or download sketchy stuff and you should be fine.

However, if we start talking about privacy in Fedora as compared to macOS or Windows, that’s an entirely different discussion.

Ah… I think I may have misunderstood how Silverblue worked. Would those browsers (or any attacker who is able to compromise them) be able to write to the rest of my filesystem? Because if so, it seems like the security benefit is much smaller in my case considering that I’m probably most likely to be compromised through the browser.

I think that by having the root file system being read only is pretty secure, especially if you’re concerned mainly from a browser POV. The sandboxing of Flatpaks is another option for using a browser if it is packaged as a flatpak. The browser security is no different from any OS you choose IMO, and is most cases quite distinct from security issues with the system. There are ways to harden most any distro, just how much usability are you willing to compromise on that is to be decided. I would be more worried about phishing campaigns than actual attacks through your browser.

As mentioned earlier, the reason I was interested in layering browsers was because it seems that Flatpak weakens the sandboxing of browsers. However, I’m not sure if/how it could be done through rpm-ostree. According to this article, it’s not possible to install the stable release of Brave using rpm-ostree. As for other browsers like Firefox, it also seems to introduce complexities/issues.

If I were to look at things from a security-centric POV, I suppose I could try weighing the benefits of a read-only root vs. browsers with better sandboxing, but I’m not sure how I could even go about doing that. Furthermore, security isn’t the only factor in the bigger picture. While there are clear benefits to Silverblue, it seems like it also introduces complexity in certain ways which are likely to negatively impact the usability of the OS. Considering all of that, I’m leaning towards plain old Workstation. But if anyone has any other thoughts on the subject, I’m happy to hear them so I can make a more informed decision.

Fedora includes Firefox as part of it’s base image. It works ootb, no complexities, just as usual non-free media codec’s will be an issue. As for layering it is fully functional and for instance with rpm-ostree you could actually specify to replace the included FF with Brave if you desired. If there is Brave Browser package offered in the Fedora repo then it should work with a oneline command to replace.

1 Like

I assumed from the article I read that Brave wasn’t included in the repos, but I guess the only way I could be sure is if I tried it myself.

FWIW that guide seems a bit too pessimistic. For instance

While this is also true for Windows and macOS, they are quickly making progress on adopting memory-safe languages—such as Rust and Swift, respectively—while there is no similar effort to rewrite Linux in a memory-safe language like Rust.

In actuality there is an active project

Asahi’s kernel GPU driver is already written in Rust

dnf search brave

Sorry, not in repo …

check this link …https://www.linuxcapable.com/install-brave-browser-on-fedora-linux/

I thought dnf wasn’t used in Silverblue? Or are you suggesting I use something like Toolbox?

No I am suggesting you replace the command dnf with rpm-ostree in Silverblue to layer it. The only issue is the repo is not Fedora controlled, so updates won’t be inline with Fedora and there may be times when your browser won’t work correctly due to this. If you check the help for rpm-ostree (`rpm-ostree -h) you will see that you can remove base packages and install desired one(s) with a single command, after the repo’s are setup. So first you will need to select the repo(s) from Braves repo sites that you desire and set them up with ostree …

jakfrost ~]$ ostree remote --help
ostree remote [OPTION…] COMMAND

Remote commands that may involve internet access

Builtin "remote" Commands:
add Add a remote repository
delete Delete a remote repository
show-url Show remote repository URL
list List remote repository names
gpg-import Import GPG keys
gpg-list-keys Show remote GPG keys
add-cookie Add a cookie to remote
delete-cookie Remove one cookie from remote
list-cookies Show remote repository cookies
refs List remote refs
summary Show remote summary

Help Options:
-h, --help Show help options

Application Options:
-v, --verbose Print debug information during command processing
--version Print version information and exit

Don’t use the config-manager step, I don’t think there is a need and ostree doesn’t have a corresponding command that is directly applicable. Pretty much any package that you can install with dnf on regular Fedora Workstation you can layer on Silverblue with rpm-ostree. The difference is ostree handles the remote management (repo management)

1 Like