top | item 40818452

(no title)

I tried out Aeon a while back and mostly liked the idea, but not so sure about the execution.

First, last time they had no firewall and the main developer thinks a firewall is not needed. I disagree strongly and won't run an OS w/o firewall. (https://forums.opensuse.org/t/micro-os-suse-aeon-compared-to...)

Second, getting everything from flatpak would be a good idea, if the software I need would be available as certified flatpaks. Downloading random flatpaks is IMHO the same as downloading random executables.

Third, the AARCH64 version is not distributed anymore (this was the version I tried/used), AFAIK because the initial install script could not download the non-existent Firefox for AARCH64 flatpak (thanks Mozilla).

In the end I still like the idea of Aeon and hope they change their positions concerning firewalls. Points two and three are obviously not Aeons to fix, so I hope we as a community (and Mozilla) get there in time.

discuss

thoroughburro|1 year ago

I use a MicroOS + wayland + sway and friends setup, since I don’t like big DEs. I completely agree with you about needing a firewall, but it was an easy fix to continue taking advantage of all the good parts:

    sudo transactional-update shell
    zypper in firewalld
    [setup as you like]
    exit
    sudo reboot

Now you have MicroOS or Aeon as you like it. It’s a discouraged practice, but if you stick to the default repos and well-used packages, you can definitely tweak the opinionated defaults without compromising the vision.

BossingAround|1 year ago

I understand what you're saying, and I understand the maintainer's POV. But, nothing prevents you from installing firewalld, right? It should just work.

deknos|1 year ago

i agree with the flatpak, sadly this will probably not change.

BUT! if you are a developer, you could run with distrobox graphically applications from the distrobox from OpenSUSE!

I am starting to use this on tumbleweed and there are even "exporters" so the app in the distrobox will be exported to your application menu on the metal!

jacooper|1 year ago

Does that app have access to a full terminal ? Like if I install vs code inside distrobox, will it have access to the systems or the container terminal?

athrun|1 year ago

the firewall question is interesting. I guess I understand their perspective: If nothing is listening/running then what’s the point of the firewall? The system is immutable so the security posture is a known quantity and cannot change at runtime. You could argue that running an additional firewall service would actually be increasing the attack surface, in the sense that more code is worse than the absence of code.

Not sure I agree with their stance, but good on them for having the courage to revisit some our default assumptions. Some decisions will work out and others they’ll have to finetune.

throwaway89988|1 year ago

The base system does not need a Firewall, according to them, and they might be correct about that or not.

IMHO the point of having a firewall which simply denies all incoming connections is, that once a user starts installing a few programs, sooner or later some of them might open ports, even w/o malicious intent.

If they want to provide an easy to use and secure system, IMHO there should be a firewall and each port has to be opened explicitly.

In the end, this is really down to opinion and there is no objective true answer, so I'd rather use Fedora-Atomic if I need immutability.

raesene9|1 year ago

I can see where the no firewall argument is coming from and definitely on my own Linux laptop, I try and keep the number of ports listening down as much as possible, but it is tricky and it requires a lot of vigilance as sometimes applications you wouldn't expect to, will start services. Things like Spotify and Steam can open ports.

So having a firewall running can provide a bit of extra protection in case you don't always check to see what ports you have open/listening.