Just a heads up that the latest versions of Bazzite (stable or testing) seems to bork Portmaster (as installed via the script).
It happens whether using the stable branch of Portmaster, or beta.
Basically the service can’t start, so the icon shows a red light instead of green, and the GUI can’t be loaded. If you try to bring up the GUI, it starts to, but then an error comes up and says: “Unknown error: exit status: 3 output=activating”
If you shutdown the service, and reinstall Portmaster via the script, it will load the service and the GUI and seem to work normally. If you reboot, its borked again.
If you rebase to an earlier version of Bazzite (I rebased to 3/17 stable as an example), Portmaster is still borked until you reinstall it. This time after you reinstall it, and restart the system, it stays working.
I assume that the reason is due to some permissions change in the latest updates, but I’m not sure.
Thanks for the heads up, sporadic Portmaster user here (it’s useful as it is the most convenient encrypted DNS changer on Linux - plus blocks other background stuff I don’t want too).
On a related note, is it possible to bake this into an image instead? I have my image builder repo, if there could be any errors, I’d rather shift the risk there than on my local machine.
I’d just try their RPM, add it to your build process and see how it runs on the image. Or is there other magical stuff in that script? You could also just copy the script into your build process and see how far along it gets then go from there.
Can you please mention which version of Bazzite as I’m a Portmaster user and currently I have no issues, I’m on Bazzite 41.20250325 (2025-03-25T21:15:49Z).
and I see that Bazziites latest stable release was 2 days ago 41.20250325 which I’m on with no issue. And I just rebooted.
In case people need it, there is a way to avoid automatic updates: ujust toggle-updates
Greetings, the main issue (from what I understand) is that portmaster does not work correctly with read-only file systems (Bazzite/Kinoite/Silverblue, etc.) portmaster normally writes files to certain system folders/directories during installation…which is where the workaround script comes in to ensure the necessary files/folders are written elsewhere.
I love what you guys are doing with Bazzite, it is both solid and stable. However, connection security auditing is a sticking point. Getting portmaster to work correctly would be the big ‘YES’ moment for me to switch to Bazzite. I’m sure this applies to more people than just me. I know it is a big ask, but please work with the good folks at Safing/IVPN to get things working properly, it will be good for everyone. What you can easily audit, is trustworthy. I want Bazzite to be the trustworthy OS for everything not just as the gaming OS.
Have a good day!
P.S. and yes I created this account to send this message, because security is top of mind these days.
I feel like this is a little out of scope for Aurora, Bazzite, and Bluefin. You may want to inquire with Portmaster support with secureblue since best security practices are the main and total focus on that image.
The Universal Blue end-user images are intended to be a good mix of security without too much compromises made for everyday users and popular applications, but it’s not the total absolute focus like secureblue.
I’m referencing the same build (3/25) when mentioning the latest versions of Bazzite. I now have it working on 3/25 as well. I sounded the alarm because I have had no issues whatsoever with Portmaster for almost a full year, and I always update to the latest versions of Bazzite immediately, so it was very notable that it just suddenly stopped working. After a series of reinstalling / uninstalling via different means, I now have it working again via the original script, which was not working when I initially tried it after the failure. So, I’m not sure how its working at this point.
I tried the following:
Installing it via BoxBuddy Fedora 41 container (inital success, but when I tried to update to the Portmaster beta channel it broke it - and would not subsequently work after that, even after uninstallation / reinstallation)
Installing it via RPM-Ostree. This didn’t work at all even though installation seemed successful.
Reinstalling it via the script. Again, initially this didn’t work, but now all of a sudden it does (shrugs). It has survived reboots, and so I’m just going to not touch it at all
So, for me this is a one and done sort of thing…everything else with Bazzite is fine for me . This would be the final nail in the coffin for windows as portmaster allows me to easily manage DNS, inspect connections from all software packages, block bad domains and bad connections. That means even if a flatpack is not verified on flathub, I can see and manage what it does..with or without flatseal (I have seen situations where the KDE permissions system unfortunately does not appropriately sandbox flathub apps).
Secureblue is doing something interesting, however what they are working on will probably come closer to a custom kernel by the end of it and that is not what I am looking for. Portmaster is supported on windows, ubuntu, and fedora, so there should be a way to get it working more normally on atomic without causing too much mayhem (I hope).
For the folks at portmaster, atm they too are of the opinion that immutable/atomic distros are ‘out of scope’. I hope this will change. As we all know NMP (Not My Problem) won’t grow the user base of linux, everyone benefits long term with more software support and security transparency.
I would love to have a more in depth discussion some time in the future. For now I just wanted to suggest opening that dialogue to see what is possible. Thank you for reading.
. This would be the final nail in the coffin for windows as portmaster allows me to easily manage DNS, inspect connections from all software packages, block bad domains and bad connections. That means even if a flatpack is not verified on flathub, I can see and manage what it does..with or without flatseal (I have seen situations where the KDE permissions system unfortunately does not appropriately sandbox flathub apps).
won’t grow the user base of linux, everyone benefits long term with more software support and security transparency.