Ublue Security

How are the UBlue projects in terms for security, specifically Bluefin? It seems to be targeted towards Mac Developers, however Macs are renowned for their stellar security. Is Bluefin secure enough for Mac Developers to move over their entire workflow, without decreasing their security?

Going to link this Bazzite post I shared previously:

If anything, supply chain attacks are something all of the maintainers should be mindful of to watch out for and find ways to prevent that. As for the end-user, install software that you find trustworthy just like on any other operating system. Opt for software that is open source over proprietary when you can.

Edit: Some of the links in that post need to be updated for the Fedora 41 base and are also specifically for Bazzite… However, since most of the packages are maintained by Fedora maintainers, I feel there is some structure involved at the top, and where we have to worry is the custom packages on top of the images (i.e. the base images and Bluefin-specific packages that get pulled in).

Thank for your detailed response.
I understand the steps that one can take to maximize their security, as often these will be the same across operating systems. However, I was curious if there were anything that the ublue systems do that differ from security vulnerabilities found on traditional linux desktops.

If someone is using a Mac for personal sensitive purposes (like banking or finance), or for enterprise work; would they be able to switch to Bluefin without a decrease in security? I can’t really find any audits or information as to what the security on Bluefin or cloud-native desktops would be.

I’m not an expert on these matters nor do I have a particularly high threat model. I’ve had friends ask me these questions and I don’t really have a strong answer as to how Bluefin’s security stand in comparison to Mac.

these are security-hardened spins of uBlue: GitHub - secureblue/secureblue: Hardened Fedora Atomic and Fedora CoreOS images

it goes into more detail of what they change, so it should also tell you where the base security is for uBlue itself.

2 Likes

Bluefin and its siblings enjoy significant improvement over traditional Linux as they are:

  1. Frequently updated, such that found vulnerabilities are remedied
  2. Image-based, with permissions limiting an attacker’s ability to modify the system or install exploits.
  3. Using containers and Flatpaks for users’ applications, with limited access to the rest of the system.

I’m a pretty paranoid computer user, and have spent a lot of time in counties where I greatly distrust the internet and go to great lengths to encrypt an anonymize my traffic, as well as keeping important data strongly encrypted. I was very pleased indeed to find this family of image based and declarative Linux OSes.

SecureBlue offers a much more hardened Linux environment, with things like immutable Bash shell configurations, etc. Used with judicious encryption of data and secure networking, breaking one of those would be difficult for even a nation-state.

I won’t say a hardened system is impossible to break into, because everything falls sooner or later, given enough time and money. There don’t seem to be pentest reports comparing Bluefin to macOS, so there are no certified results to offer up in here.

2 Likes

Thanks for the run down, and thanks to @calabiYau for linking secureblue, I’ll def be giving it a look!
Good to hear the cloud native systems have as founder foundation to work from. Hopefully one day we’ll have some pentesting results to work from.

1 Like