There are plenty of reasons why themes are bad. They’re a security risk when downloaded from the internet, they’re often not updated alongside the desktop environment causing bugs, and maintaining support for themes is difficult.

But what GNOME does is eliminate choice, not themes.

You can technically buy a Chromebook instead. Apparently they kick up a real fuss if you try to install your own OS on it though, Not that I’ve tried.

Except they only help you with the install IIRC, so basically useless.

I do want that extra security. But I’m disappointed it can’t be automatic in Secureblue (even though I’d be using it as explicitly not intended).

I did some research and I see what you mean. Apparently using the Flatpak of a browser disables the sandboxing between browser tabs. It doesn’t necessarily make my device less secure but it would make my browser less secure. Firefox officially supports it’s Flatpak so it would be good if I could find some sources more reliable than various forum posts but all-well.

I’m iffy on having to manually configure my security but if I’m using Firefox on a distro that does not support it then there’s not much I can do to avoid that.

Thanks for your tips.

I ain’t sweaty enough to Arch. I run CachyOS on my desktop but I want my laptop to be more secure in which case Arch would be my only option. Overall Fedora (and it’s derivatives) are the only distros that meet my expectations for a distro.

In terms of gripes theres:

1. It’s prompting me to upgrade to the unstable Ubuntu 25.10.
2. It failed to upgrade me when I accidentally pressed the button.
3. Widespread consensus that Ubuntu doesn’t take security as seriously as Fedora/OpenSUSE.
4. That whole Xubuntu malware situation.

I’m pretty sure there was another big issue I had. But it’s not coming to mind immediately. I’ve heard a lot of complaints about Ubuntu and I think I ran into something like that but it wasn’t that important to me personally so it slipped my mind.

I was under the impression that a recent Firefox update means it supports hardened_malloc. I haven’t been able to find a clear answer on this though since it’s kind of a fringe issue. Am I to take this to mean it doesn’t? I’m not too keen on running Firefox using the jemalloc.

If I’m using Secureblue I presume there is automatic configuration of the bubblejail if I install it as a Flatpak.

I’ve never used a Flatpak-first distro, but customization and performance are not high on my priorities.

It’s Linux VM’s running inside a Xen Hypervisor. I want security but I also want to run Linux proper. I’m not exactly giving a good explanation here but basically I don’t really want to use Qubes.

I had a bad experience with OpenSUSE in the past. I’m also nostalgic for that time (mainly because of the colour scheme I had on KDE at the time) but at the moment I want to try Fedora or Secureblue.

Basically what I’ve learnt with this thread is the same thing anyone learns when asking which distro to pick, “it doesn’t matter, just pick one”.

That seems to be the case. Since I can’t find my original source. I remembered them saying something along the lines of “KDE doesn’t have a thumbnailer sandbox, GNOME has one albeit weak, so you should use GNOME” but I can’t find that source anywhere so maybe I imagined the entire thing.

Either way I’ll disable the thumbnails on everything but images just because I don’t really need them and if anything having PDF’s generate thumbnails like images do just makes my downloads folder more confusing to navigate.

I’m gonna have to try secureblue and only switch when I find something that doesn’t work. I’m not entirely sure that Firefox works at present.

Trivalent doesn’t support extensions https://secureblue.dev/faq#trivalent-extensions but I only need those extensions on Firefox. My backup browser is mostly for sites that involve online purchases as it’s too much of a hassle with noscript.

Other than that thank you for your advice.

I wouldn’t know. I’m coming here with worries, not facts.

Please ignore the entire cybersecurity hype news cycle about images being used to spread malware.

I’ve heard of thumbnails being used to deliver malware. Specifically the idea that “thumbnailers” are javascript code included in the file that will run in order to generate a thumbnail and they have the potential to deliver malware. After an arduous search I found this article https://thehackernews.com/2017/07/linux-gnome-vulnerability.html suggesting a vulnerability in the thumbnail generator for windows executables on GNOME allowed it to be used to deliver malware because the file name contained code that was executed by the thumbnailer. I’m still entirely unclear about what a thumbnailer even is (whether it’s local or remote code) or what my original source was. For now I’ll just turn off thumbnails for all but images and hope that counts as adequate security.

Secureblue isn’t immutable though.

https://secureblue.dev/faq#immutable

The idea of disabling sudo was that malware would try to use sudo and fail (plus Secureblue’s endorsement). But now that I think about it malware probably wouldn’t keylog my password and use systemd anyway, but instead use something less tedious and less distro-dependent like a privilege escalation attack. I’m wondering though, are you saying that you think run0 is more vulnerable, or that it shares a massive attack surface with sudo?

I guess the value of browser escape vulnerabilities explains why I’ve never gotten any malware despite my risky web browsing. Though browser extensions still pose a risk and being a Firefox users I suspect that such value is low enough to use for run-of-the-mill malware (though probably just for Windows). I’ve heard a fair few times about thumbnailer attacks, but no real detail from KDE about what if any mitigations they have in place.

By Sandbox I mean that the apps I install should only have access to the files in a dedicated directory. Mullvad seems to do this on Kubuntu, there’s a .mullvad-browser folder in my home directory and whenever I try to upload or download an image using it I find myself unable to navigate away and instead need to use my file manager to do so.

I’m not really interested in QubesOS. As above my first priority is running Linux and while the virtualization in QubesOS interests me it’s not an operating system I want to use.

I heard the pulseaudio thing from this source https://profincognito.me/blog/security/browser-engine-security-comparison/ although it was uncited so it may be BS.

qubesOS isn’t quite Linux and I’m not quite a fan of it’s structure. If I were just running my browser in a VM though that would work.