← Back to context

Comment by cube00

6 days ago

> any kind of secure boot / boot chain attestation [...] rebooting clears out pretty much all malware

IMHO "pretty much" understates the risk.

Malware can easily install itself as a system service, timer unit, XDG autostart or your shell profile among other places. I'll be the first to admit I never check all these places regularly.

The only thing that should be putting minds at ease is regular OS installs from fresh images.

Resist the temptation to do an "in place" upgrade and go with a clean ISO each time your distro comes out with a new major version.

It's a pain but thanks to configuration management or even shell scripts it's manageable for me now.

Admittedly six months is probably too long as well but at least it stops something lurking on a server or my desktop for years.

If you go with an immutable OS like Fedora Silverblue or Bazzite, every single update is a clean ISO install. And then in your user only install things through Flatpak while checking there aren't dangerous permissions enabled you will be much better off than a normal linux setup were mutations can be placed all over the place in a way that is impossible to audit or secure.

  • Not for $HOME and ~/.profile and such.

    • With flatpak, every app would have it's own virtual home to store config files, and for editing documents they can use the portals feature to allow the user to open files without having full filesystem access.