I just found out about Universal Blue while researching immutable distros and decided to give it a shot and I really enjoy it! I used to run Qubes on my work machine because I liked the segmentation and security by design but it didn’t suit my needs with the GPU passthrough issues.
So I’m wondering if Universal Blue is the closest distro to Qubes in terms of security? Are there ideas in mind for further improvement by the users?
There is a spin-off of Universal Blue called SecureBlue: GitHub - secureblue/secureblue: Hardened Fedora Atomic and Fedora CoreOS images. They detail what they do differently compared to Universal Blue and might give you a better issue.
There’s not anything UBlue-related that I can think of that runs everything in their own VM, but you do have podman/VM capabilities here.
No, our containerized approach is for developer use cases. Container escapes exist and if you’re looking for more robust security then you’d likely use VMs and some other stuff to setup.
Just curious, what would be an example of a container escape technique?
This is a good overview.