Comment by johnisgood

1 day ago

You can use Qubes OS for true VM-level isolation, or use hardware security keys where possible, or run sensitive applications in dedicated VMs.

I think that in general it is game over the moment you have malicious processes running. I use firejail for most applications, which I believe is the bare minimum, or bubblewrap.

3 comments

johnisgood

codethief 1 day ago

Yeah. Personally, I'm crossing my fingers for SpectrumOS[0] to make things a bit easier. As the developer notes on her website[1]:

  <qyliss> I have embarked on the ultimate yak shave
  <qyliss> it started with "I wish I could securely store passwords on my computer"
  <qyliss> And now I am at the "I have funding to build my own operating system" level

[0]: https://spectrum-os.org/

[1]: https://alyssa.is/about/

johnisgood 1 day ago
What else can you tell me about Spectrum OS? Is it actively maintained? Is it usable? How does it compare to Qubes OS?
Also what do you think about Subgraph OS[1]? Although I think it is not maintained anymore, or is it?
[1] https://subgraph.com/img/sgos.png (old image which I remembered it by) (https://web.archive.org/web/20241206072718/https://subgraph....)
- codethief 10 hours ago
  
  I don't know how usable SpectrumOS is so far – I guess we'd have to compile it ourselves in order to find out. Either way, it is being developed quite actively, see https://spectrum-os.org/git/
  As for how it compares to Qubes, I don't think I'll be able to tell you more than https://spectrum-os.org/design.html & friends. I suppose the upshot is:
  - KVM instead of Xen
  - One VM per application
  - Single file system for user data (to which users can grant VMs access on a folder-by-folder basis)
  - Package system from NixOS (nixpkgs) for reproducibility & immutability