N.E.P.T.R

Nah I did too.

I have no experience with this project. I will check it out.

Are you on the userns image? Because podman/docker/toolbox/distrobox all require unprivileged user namespaces.

I also experience with Secureblue, so here are my answers:

• I used GNOME because it is the only DE that protects the screen copy API. I used GNOME extensions because native methods of customizing UI/UX are very limited.
• I personally re-enabl Xwayland because many apps (eg Steam) still use/require XOrg.
• Yes I recommend use and recommend Bubblejail as a simple way of sandboxing some apps. Not a “super tight” but much better than unsandboxed. FYI, AppImages don’t work with Bubblejail, or Secureblue (cus they remove the unmaintained FUSE dependency).

Fingerprinting is a complex beast and nearly impossible protect against. RFP (created and upstreamed by Tor Browser) protects and normalizes most fingerprintable metrics (timezone, display viewport dimensions, user agent, audio devices, installed system languages/fonts, etc) to a stable value for each Firefox version. Canvas is the only metric which is randomized. The purpose of this is to create a shared stable browser fingerprint for all RFP users, creating a crowd for people to blend in with each other.

While RFP is strong, its anti-fingerprinting strategy was created for Tor Browser, which users are not supposed to customize. The same can not be expected of all other Firefox users, resulting in most users being much easier to distinguish from each other. RFP also can cause some site breakage and doesnt offer a granular way to toggle specific features per website (eg. Canvas protections breaks your webcam in conference calls).

There is no good solution. Best options are use Firefox (or a fork like Librewolf) for casual use, and Mullvad/Tor Browser for more critical situations. Always use uBlock Origin (except with Tor).

On the Chromium-side, Cromite and Brave randomize some fingerprintable metrics, but they aren’t as exhaustive and aren’t upstreamed to Chromium (for obvious reasons).

Online tests of uniqueness are skewed by the population who uses them, aka privacy-conscious aren’t the typical user even if a dataset overrepresents.

My point was introducing Canvas noise isnt going to make you less fingerprintable, actually quite the opposite. Firefox’s RFP is much better at normalizing fingerprintable metrics and is native. Canvas is one of many many other fingerprinting vectors.

If you go the route of trying to protect against fingerprinting through randomization, use the extension JShelter which seems to do much more noise than Canvas blocker does. I am still very skeptical of it (and other anti-fingerprinting extensions) because of how complex fingerprinting is.

Not an exhaustive solution which results in easier unique fingerprinting. Plus Firefox already randomizes Canvas noise with both FPP or RFP modes (FPP is default).

What laptop?

Only use it if you (can) read the the Flatpak manifest and make sure its safe. Clone the repo and build it yourself locally if you trust the code but want to recheck each update.

Because that is the only way official to install the Proton VPN app on Fedora systems??

If you are willing to set it up, yes try it.

Yes

PCs aren’t secure. Linux default isnt secure. Kali has so many apps/tools installed by default that it isnt comparable to default Linux. It has massive attack surface and no security design, therefore calling it secure isn’t accurate.

If no effort was put into the security design of an OS, why call it secure?

What do you mean secure by design? What part of it is secure. Compare it to actually security focused Linux operating systems like QubesOS, Kicksecure, or Secureblue. Literally any OS that supports the Brace tool (made by the creator of DivestOS) is much more secure than Kali Linux. Kali is purpose built for red team work, not being secure (aka reducing attack surface or designing around a threat model).

It isn’t a secure operating system. It is a toolkit for pen testing and red team hackers. Definitely not a daily driver kind of OS.

For good out-of-the-box nvidia support, I recommend Bazzite.

For nvidia hardware, use nvidia images of Aurora/Bluefin (or Bazzite if you want gaming out of the box). All the OSes I mentioned are based on Fedora Atomic and offer image options for nvidia proprietary drivers. They even signing the kernel drivers, so you can use Secure Boot.

I recommend GNOME from a purely security perspective. Currently, “GNOME is the only desktop that secures privileged wayland protocols like screencopy.” It also has a nice permission system for (dis)allowing microphone, camera, and location access. I wish the developers were more open to encouraging customization of the certain GUI elements, like KDE. KDE Plasma does not protect against screen capture, though it is on their radar.

Canonical, the owners of Ubuntu, love to steal open source projects. They’ll help a project with development power, then force the contributors to sign a CLA (for an example see the fork of LXD called Incus). Canonical also uses and forces proprietary systems onto the user’s, e.g. Snap uses the proprietary and hardcoded Canonical repository, which Ubuntu now defaults to using Snap for installing packages.

Side note, if it wasnt for Snap using a proprietary backend and also depending on AppArmor (generally regarded as a weaker MAC than SELinux), I would prefer Snap over Flatpak. It creates a better sandbox (aka the actually Security of the software), avoids sandbox escapes, blacklists against broad permissions (e.g. $HOME access), and Snap packages generally have stricter permissions (which determines the real-world security of Snap). Sandboxing is very important for Desktop (and server) security. Android is does the best job of this, but it would be nice if projects like Sydbox, Crablock, or Bubblejail were adopted and built-in to the package manager.

But even without any of the previously mentioned problems, I just think Fedora is a better OS. Fedora comes preconfigured with SELinux policies to confine system services they are quicker to adopt new technologies. Fedora is also a semi-rolling distro, meaning packages are quicker to get updated than on Ubuntu. Fedora stays FOSS, where as Ubuntu becomes more locked down. Also, the package Brace made by the developer of DivestOS is great for quickly hardening a Fedora system.