So, I’m currently on Kubuntu and I’m not really a fan. I want to take the opportunity to switch to a better distro. Ideally I’d use secureblue but I’m hoping for advice on how practical it is as a daily driver from the people who’ve used it.
My priorities are:
- Using Linux.
- Using Firefox.
- Security, within reason.
- Using software which treats security with the importance it warrants (If desktop Linux should improve in one area in 2026, it’s security).
My options are:
- Fedora Kinoite
- Fedora KDE with some hardening
- Secureblue
My needs are:
- Browsers: Firefox, Mullvad Browser, a Blink-based browser (backup).
- Extensions: Ublock Origin (Lite or otherwise), Noscript, Proton Pass
- Apps: Freetube, Anki, Discord, Threema, Libreoffice, Mullvad VPN, Kwrite, Kolourpaint
- Sound: Bluetooth headphones, Sound, Printing (Optional)
I’ve stopped using themes, partly because of the security issues and partly because I just don’t really like them anymore. I’ve replaced them with the Plastic window decorations that come default on Kubuntu and a custom colour scheme.
On Firefox:
- I need Firefox because it allows me to create duplicate bookmarks with ease. I manage a lot of things via bookmarks and sometimes they overlap.
- Secureblue has been incompatible with Firefox in the past, but IIRC Firefox recently added support for hardened_malloc. I can’t find where I read this though.
- In terms of the security issues with Firefox, I’ve installed Noscript to prevent untrusted sites from running javascript (especially Wasm). I can swap to a blink-based browser where it requires trusting too many sites.
- Proton Pass … I don’t log directly into it on my computer (only on GrapheneOS) and I don’t have my 2FA keys stored on it. I need it for a Passkey because neither Linux nor GrapheneOS support them natively and my government services’ 2FA codes requires it’s own app which requires the Play Integrity API (bloody Australia). My government services are a very high value target (because Australia).
- I wonder if I really need hardened_malloc in the first place, since with the state of Linux security I’m not sure there’s a reason someone would use a memory vulnerability unless I’m being targeted personally (and nobody’s gonna do that for me).
Security goals:
- I want to make sure the software I install don’t have access to anything they don’t need to.
- I want to make sure that any website I visit won’t be able to access my file system.
- I want to make sure that my browser extensions won’t be able to access my file system.
- I want to use a distro that’s somewhat resilient against supply chain attacks.
- Proximity to upstream for timely security patches.
I recommend Secureblue.
To install Firefox on Secureblue, run
rpm-ostree install firefoxTo install Mullvad VPN, runujust install-vpn, select Mullvad, wait for it to complete, and runrpm-ostree install mullvad-browserFor browsers, you obviously are going to install Mullvad and Firefox, but no need to install a Blink-based browser because it comes with Trivalent (significantly security hardened Chromium). Since Trivalent only supports MV3 you will need uBl Lite and NoScript supports MV3.
I recommend sandboxing your browsers (except Trivalent) using Bubblejail. For Mullvad/Firefox, create a Bubblejail instance using the config app, create a profile, give it access to Wayland, PulseAudio (sound), Pipewire (screenshare), and use slirp4netns, then run
bubblejail generate-desktop-entry INSTANCE_NAME --desktop-entry /usr/share/applications/INSTANCE_NAME.desktop. I recommend adding access to ~/Downloads for the browsers.Consult the FAQ for more tips/tricks and security toggles. Also use the
ujustcommand line utility to configure the system.I’m gonna have to try secureblue and only switch when I find something that doesn’t work. I’m not entirely sure that Firefox works at present.
Trivalent doesn’t support extensions https://secureblue.dev/faq#trivalent-extensions but I only need those extensions on Firefox. My backup browser is mostly for sites that involve online purchases as it’s too much of a hassle with noscript.
Other than that thank you for your advice.
To use Firefox, you need to use
ujust with-standard-malloc firefox(or something like that). It also needs user namespaces (same with Mullvad VPN/Browser), runujust set-unconfined-userns onFollow these steps to make Firefox run with standard malloc:
For Firefox with no sandboxing …
cp /usr/share/applications/firefox.desktop ~/.local/share/applications/firefox.desktopExec=firefoxtoExec=ujust with-standard-malloc firefoxFor Firefox with Bubblejail, assuming you have already created a profile named Firefox and generated the desktop entry. Edit the file
~/.local/share/bubblejail/instances/Firefox/services.tomland add the following snippet:[debug] raw_bwrap_args = [ "--ro-bind", "/dev/null", "/etc/ld.so.preload", ]I was under the impression that a recent Firefox update means it supports hardened_malloc. I haven’t been able to find a clear answer on this though since it’s kind of a fringe issue. Am I to take this to mean it doesn’t? I’m not too keen on running Firefox using the jemalloc.
If I’m using Secureblue I presume there is automatic configuration of the bubblejail if I install it as a Flatpak.
Dont install browsers as Flatpaks, very bad for security. Flatpaks use Bubblewrap, but that isnt the reason they degrade browser security. Bubblejail is an app that makes sandboxing with Bubblewrap easy and didn’t integer with the browser’s own sandbox (unlike Flatpak). I don’t know if Firefox supports hardened_malloc now.
I did some research and I see what you mean. Apparently using the Flatpak of a browser disables the sandboxing between browser tabs. It doesn’t necessarily make my device less secure but it would make my browser less secure. Firefox officially supports it’s Flatpak so it would be good if I could find some sources more reliable than various forum posts but all-well.
I’m iffy on having to manually configure my security but if I’m using Firefox on a distro that does not support it then there’s not much I can do to avoid that.
Thanks for your tips.
You don’t have to sandbox he browser with Bubblejail if you don’t want. I was only suggesting it and providing instructions in case you wanted an extra layer of isolation.
I do want that extra security. But I’m disappointed it can’t be automatic in Secureblue (even though I’d be using it as explicitly not intended).
The browser can’t create unprivileged namespaces because Flatpak blocks access to namespace creation. This DOES interfere with an important method of sandboxing used by browsers on Linux. It makes site isolation weaker, which could allow an attacker from a malicious site to steal information from any open tab, or possibly escape the sandbox. Browser sandboxes are multilayered for a reason, one less layer makes exploitation exponential easier. The Firefox Flatpak is official, but that doesn’t mean it is safe. Flatpak sandboxing is substantially less strong than a browser’s isolation strategy This because Flatpak is a general purpose sandbox mostly meant for making distribution of software easy by providing an identical environment across all Linux distros, not for rigid security. Browser’s provide a more fine grained sandbox that is designed around the threat model that the website is compromised/malicious and is attempting to hack you, since websites are effectively just apps. Don’t use Flatpak’d browsers at all, or the very least not as your default.