#Brave doesn't start (downloaded by official website)

See pic.

It is not recommended to install other browsers, and it is especially not supported to run GUI apps as root

https://secureblue.dev/faq#unconfined-userns

Some users would prefer privacy over security so adopting a browser as Brave to decrease fingerprinting.

We all know the potential repercussions in terms of security of this choice but users should be free to adopt a browser (maybe not from the store because of sand boxing potential conflicts).

Are we forcing users to adopt a single browser? I guess it would be good to adopt another strategy if this has been the way until now.

Interesting, so I should create a new user with no root accwss just to run any kind of third parties apps (not from flatpak)?

Nobody forces anything onto you, but running a third-party browser requires disabling a substantial part of what makes secureblue more secure than other distros

Isn't possible to display a clearer message to improve user experience?

Like hey this the error, do you wanna create a new profile?, it is necessary to run third partied apps Yes ... And let's set it.

Creating a new user account does nothing about this

No clue how you got that idea

User namespaces

And throwing root privileges at a program whenever something does not work is a bad habit in general

What's that?

I am not going to consult your preferred search engine for you, I am not your personal assistant

Yes I'm sorry but I imagine people who are using this Os, it's new and we try to install apps but they don't run. We get these messages and we need to come here or search in some documents what is necessary to do.

It is super common for techy people but absolutely difficult for normal users.

secureblue is not aimed at non-techy people

It is expected that users consult the FAQ, it exists for good reason

Linux in general is not aimed at anyone in particular to begin with

I would probably emphasise way more than a simple reference in the FAQ the fact we need a userspace and set something to install third party apps.

I totally understand if this requires time to write an article or make it easy and GrapheneOs community is a wonderful example of tech people mixed with user friendly experience.

We already remove Flatpak browsers from the software store front ends for that reason

At least we are not Arch where people leave after some months.

Yes but who wants more privacy over security should have it in a easier way. My point of view. Easily creating what is necessary to run a brave and getting info of the consequences and why it is not reccomanded.

GrapheneOS is a poor comparison, because AOSP starts with an already very secure and friendly UX.

secureblue's goal goes against what many people in the Linux space work towards, it is normal and to be expected that there is friction

We are quite literally working against parts of the Linux space that are actively making Linux progressively less secure

Web browsers' reliance on an insecure kernel feature is just one prominent example

I'm glad of all this work. And some articles (related to why it is better to use Trivalent instead of other browsers would be amazing to help people understanding all this without taking too much of dev precious time).

By the way GrapheneOs declares the same related to their Vanadium browser. Now if people prefer privacy over security for the browser... They need to be aware of the consequences of installing it via the browser official website and easily install it. They can, as they can download random dangerous apk with no big problems.

I don't know if I'm clear but they should know in some ways from the terminal the consequences of their action (maybe also a link to the very helpful article that someone should write), and automatically take down some protections to make this app work without going to read the FAQ or in Discord as tech people are used to do daily✅ .

I understand that goes against the values of this project but this is going to happen a lot over and over again if more people start adopting Secureblue.

What I ask?

More awareness

More usability

Freedom to choice making the installation of an out of the store app smooth and direct

Usability goes directly against secureblue's goals in this case

Awareness is for users

secureblue is very different from the experience with most Linux distros, and this is very much by design

You are free to choose using a different image or distro that fits your needs better

secureblue exists because there are users that desire what secureblue provides, going against that makes no sense

We cannot automatically detect when an app requires user namespaces and grant them that permission because the goal of that restriction is that untrustworthy programs must not obtain that permission

We cannot know beforehand which programs the user will install and if they can be trusted

Privacy is not the goal of the project, and Brave does not offer substantial privacy at all, in fact by default it is worse since Brave actually collects data on you and Trivalent doesn't. If you want privacy, spin up a Whonix VM and use Tor. Otherwise the effort is more a footgun. Also good privacy cannot exist without good security

Why are running applications as root? I noticed you did the same for bubblejail

When I try to run the app I get an error message. If this is associated to enable userns would be great to get a pop up(instead of nothing as now if I click on the app out from the terminal) that explains, creates awareness and gives to the user the possibility to smoothly make it run or not.

We are actually playing on the ignorance of users. If they are ignorant they will:

1. Say the os sucks (2 of my friends left the project because of "system instability and errors" to make apps run).
   Not to be vulgar but it is bullshit. It is necessary to spend some time and understand why this is happening and how to fix if we really want this. Secureblue is helping to maintain a high standard of security avoiding some bad behaviours. But I agree that should be more clear and direct than now.

2. Don't learn

3. Spread misinformation

I prefer to be direct, not to make users search search and at the end find the code to enable userns. Or at least let's pop up a link to the article.

Maybe I'm wrong and it is not possible to associate that error to enable userns but maybe yes.

We are going out of our way to remove the easy ways to install web browsers because it is fundamentally not secure to provide that

You are asking to make secureblue less secure at this point

I suggest you research the rationale for the design of secureblue's security tweaks on Github and the chats here

As many Linux users I prefer to stay rooted to have more privileges.

I purposely refused to switch to a not rooted user when it was suggested. There was written that this is not a good decision. I don't remember how much was explained but a good link to get more info would be great to give me more awareness that actually I haven't.

We cannot anticipate every way you could go out of your way to mess up

no, I meant why are you running applications with run0, that is for adjusting the system, not running something like a browser. For a number of reasons that is a bad idea

The wider Linux ecosystem is not secure at all, and the goals of secureblue are inherently bound to cause friction that cannot be explained without technical background

In an ideal world secureblue would not need to exist

Whoever wants can download browsers from official websites to get something different from security. It is just trickier to do.

I get the impression you are not actually looking for a security focussed Linux system

This is a bad idea on any Linux distro

This is like installing GrapheneOS for its security, and then breaking that security by rooting it

Your words and actions do not match

This worked for me

Noo don't take me wrong, I'm just very sad for my friends who are spreading bad info related to this amazing project. I'm totally in.

Maybe it would be very good to explicit in some articles the potential downgrades of giving less restrictions (from the Secure blue ones) to some third party apps.

And mention the most common requests apps have (which go against Secureblue approach)

There are good discussions related to privacy with Vanadium and people don't suggest to use it.

Few people adopt it, quite unique fingerprinting. I also tried some tests.

Privacy is different from security. And this is a security project.

chmod 644 /etc/yum.repos.d/brave-browser.repo
exit
rpm-ostree install brave-browser
systemctl reboot

^^Those are if you want to copy paste

this is for getting the brave repository, I believe they already have brave installed

ah i see, although i didnt have to modify any settings to get it working when i installed with those commands

or reduce security

I also tried some tests.
Fingerprinting tests give very incorrect perception on fingerprinting efficiency

did you already disable user namespaces?

prior to installing brave

Unless installing mullvad with ujust does so, then no

it does

Because that's all i did before installing brave

Ah okay, then yes I did

Privacy is different from security. And this is a security project
Privacy also cant exist without security

Related to fingerprinting by GrapheneOs
https://discuss.grapheneos.org/d/4242-brave-vs-vanadium/11

I would totally understand if some people would prefer to use a less safe browser compared to the Secureblue one but way more used.

Just because a browser is more used, it doesn't mean fingerprinting is less prevalent. Chrome will get you fingerprinted more than trivalent

Although for fingerprinting, while brave isn't perfect, it's better than trivalent

You should also disable GPU acceleration since that setting makes you stand out heavily, even on brave

I imagine my friends not able to install third party apps or even browsers from flatpak (on bazaar luckily we will take them away) but at least reading immediately the motivations/having a link to understand.

Damn I delated my old message.

We do not intentially disable support for third party browsers, its more that features they require are not secure to expose broadly

No browser has truly functional anti-fingerprinting except maybe Tor

Simply said that my 2 friends tried Securblue and they left because not able to install some software. They god errors and they didn't know anything about why.

Now they are:

1. spreading misinformation related to this project, apps don't work, unstanle...

2. less safe because setiched to a more friendly dkstro.

I would personally prefer 2 more users less safe because with out of the store softwares and aware of what they are doing compared to 2 less with no idea of what happened.

Security is for everyone techy and not techy

Did they seek out help?

They simply said " this is super unstable, not even able to download apps from the store"

That's true, but for some peoples threat model, a browser that blocks at least basic fingerprinting (like canvas or webgl), is better than no protection at all

And there's some browsers like mullvad (although i don't believe it works on secureblue), which are literally Tor, just using a different anonimity network

Mullvad is not an anonymity network

Sorry, my bad, I meant to say a different network to keep you anonymous to the websites you're visiting, assuming you trust mullvad ofc

Eh, not really, idk what threat model that would be, but its not an excuse imo for worse security. Bad security results in bad privacy

How do u justify this?

Idk how many people on the world use Secureblue browser

Again, if they had issues they should have seeked help, yes there is breakage, there are docs covering breakage and quick remedies. The equivalent is installing fedora after ubuntu and leaving because "no apt-get, where snap"

That's fair, but I'd say the average user prefers that most websites don't have a precise identity on them each visit, even without cookies, than security from malicious apps or programs

But of course if you can get both, that's the best option

I would say most care more about malicious apps, since a malicious actor spying on you is worse than Google. But this is off topic.

Iirc there are around 1000 secureblue installs with countme enabled. So maybe 85-95% of that? Idk

Wdym justify?

Fingerprinting seems to work better when more users adopt it. Now I'm not sure how true it is if we are using chrome or safari but also Brave has a great user base.
And this has not much to do with security.

Yes I'm on the same page

All this to say what?

Can we improve user experience if this is trying to download a browser or any kind of all from their official website? For what ever reason like privacy or idk?

The short answer:

1. not safe, we will not make it smooth and stand who goes away or says Secureblue is unstable, apps don't work etc...

2. not safe but we can try to make it easier and inform as much as possible the user with pop ups/messages in the terminal with maybe a link to common app errors caused by Secureblue safety measures.

Again, this is solved by the user doing research into the goals and technologies used by secureblue, if something is not clear they can seek help.

Also declare during the Os intro that Secureblue will likely not make third party apps work or even some from flatpak would be a good improvement giving more awareness to the users of what they are probably going to face.

We cant guarentee compatibility with every application, since everyone has their own use cases, this would be massive scope creep

The most I can say is, we can maybe add a note to the FAQ section about userns that third-party native browsers (aka not trivalent, and not flatpaked) will need the toggle

But also a good article that explains Secureblue position and compare some browsers.

I see a lot of people who still believe that's better to have a sandboxed browser...

Most people are wholly unfit and unqualified to discuss security

They regurgitate random shit they heard without critical analysis, see Dunning Kruger Effect

Maybe an article where it's explained why some very used apps don't work and how to make them work (and why it is a bad idea)

Brave from flatpak "doesn't work because bla bla, we do not! Suggest to download it, if for whatever reason u want it at leas use their website"

Brave from official website "doesn't work because bla bla we do not! Suggest to use it but if u want bla bla

Other apps...

Brave Flatpak does work

Flatpak browsers just have severely degraded security directly due to Flatpak

Honestly a browser article wouldnt be a bad idea, it does seem like the muddiest topic relating to sb

It would be an excellent source to avoid people to ask and ask. Also good to collect users experience and give a lot of awareness related to bad behaviours and why it is not suggested.

I guess it would be amazing and potentially dev from these software would join the Os and start a discussion saying why it is not true or how to prevent this etc.

https://discussion.fedoraproject.org/t/not-able-to-open-brave-failed-to-sync-with-dbus-proxy/162382

My friend tried LibreWolf

Had something similar

https://secureblue.dev/faq#xwayland

Why do we even write FAQs

They are like pinned messages in Discord

Yes but if Secureblue has a position... I want this to be clear and clearly shared.

Those who need them do not read them

Do you think the problem is Wayland? Please comment there so people can understand.

If from the error is possible to identify easily as u can the solution, isn't possible to add a pop up to enable Wayland.?

No, and this is part of why we recommend against other browsers

You need to manually edit the desktop entry for your browser to make it use Wayland

They choose the less secure option by default

Would be have been amazing if my friend had the pop up saying "this apps doesn't work because of these errors, this means you should probably enable Wayland and do this that... We do not! Suggest you to continue because this will decrease security as explained on this link"

You can adjust that in about:flags

You dont need to change the desktop files thankfully

Not for every browser

Which ones dont have that?

Edge does not list the ozone flag in edge://flags

Oh

It also goes for Electron

You need to edit the desktop entries for those

Is it something impossible? I know it is different from how people usually work searching and searching.

We cannot anticipate every reason why an app might not work

And we absolutely cannot anticipate how they report such failure

Apps crashing with a Segfault may be doing so because of hardened_malloc, or maybe the app just has an unspecific bug that causes it

We cannot just magically figure out what causes the crash and how to avoid it

If 6 people made the app run taking away our friend Malloc this should be easily findable in a page where all the app problems are collected + an explanation of what it means taking away Malloc (in this case)

That is not how it works

You cannot just look at a SEGFAULT and be able to say with certainty "This is because of hardened_malloc"

If 6 of 6 users whose reported the problem, solved it in this way also through the contribute of experts, it means it works. Or at least, it is one of the ways to make it work. Attached to the solution we want to explain the possible repercussions (if there are any) . Then you see other common problems flagged by the community related to the same app and other ones.

It doesn't work? Always welcome to open a post:)

This is why I would give a link to the user instead of taking the responsibility to solve automatically the problem based on the error.

Maybe for problems solved 9.5 time to 10 it could also automatically be done via GUI in the system without searching on the app problems section

And how do you suppose we automagically figure out the cause

I have figured out by trial and error before that Discord's client crashes when it fails to find an X11 server, EVEN if it is configured to use Wayland and never actually connects to XWayland

The error was not something helpful like "X11 server not found"

You are assuming that applications can reliably debug themselves

And then report exactly what went wrong, in which context and what can be done

Computers are dumb as rocks

They are literally as dumb as the rocks they are created from

what?

are you running apps generally as root??

!

He tried to run Brave with Bubblejail via run0

why

im on my phone for the time being btw so if someone can tldr that would be helpful

Because apparently we are not properly educating users what not to do

see the bootc matrix channel for why im on my phone

Now you made me curious

tldr boot links out of sync

But I do not remember my Matrix login credentials

i have been chosen

https://tenor.com/view/star-warrs-obi-wan-chosen-one-you-were-the-chosen-one-gif-5015340

FFS, why did it have to inherit THAT rpm-ostree bug

it's the app developer's responsibility to show you useful messages. we have no control over that

why did what have to inherit

lol

Did that bug not also affect rpm-ostree

you dont? what?

@leaden hazel not running apps as root is a fundamental unix concept that transcends not just linux but any unix like operating system including macos and Android.

secureblue is not a wiki for learning unix fundamentals. You should be running nothing as root, as a general rule on any unix like system

we don't yet until bazaar ships

Brave works well on secureblue. I recommend you ask them to improve their out of the box wayland support. You are directing feedback to us that is in the hands of Brave developers. We don't control their error messages. We don't control their defaults. I'm not sure why you're coming to us asking for better error messages and better defaults for an app we don't maintain

if you were asking for that for Trivalent, we absolutely would

not necessarily, it's just on Brave, not us.

again not really. brave works just fine.

rooted and wheel are not the same thing.......

where are they spreading misinfo lol

Through community, 6 people identify themselves in this error and solved it successfully doing that. The first time for sure there have been a discussions to solve it.

Maybe after 6 times people identified it, read the topic and solved it too, we can say with a certain reliability that could be a way to make it work.

we won't do this because it's incorrect

It requires enabling XWayland or editing its Ozone preference (degraded usability), and the RPM requires unconfined user namespace creation (degraded security)

trivalent is confined by selinux

So can be added on the page of "common app problems and how to solve them"

tell that to Brave

that's not going out of our way to make it hard to install other browsers. that's brave having crappy defaults

Unconfined user namespaces are not really avoidable for the RPM

No, if you have a problem with an app like this one with Brave, report it to them

The alternative is the SUID sandbox

True we could add a sentence to the existing FAQ item mentioning that most browsers need the toggle

also @leaden hazel where is this misinfo being spread lol

you have me curious

running things as root gives the programs more privileges, it doesn't affect your privileges as an individual lol

https://en.wikipedia.org/wiki/Principle_of_least_privilege

Oh, isn't possible to connect a certain error to a local suggestion?

This is a good point. I'm always more convinced that we need to create some sub categories of problems on github and here also based on app. And potentially also on the website. To explain why they don't work, inform users and potentially show how to overcome a bug or limitation.

Oh, isn't possible to connect a certain error to a local suggestion?

possible? probably

in scope? not at all

To explain why they don't work, inform users and potentially show how to overcome a bug or limitation.

This is not the responsibility of OS maintainers. If Brave's install instructions for Ubuntu were wrong, who would you tell: Brave, or Ubuntu?

Brave.

if their instructions are wrong (they are), you should open an issue here: https://github.com/brave/brave-browser

I always ran apps with sudo iny past experiences, do we have some general basic guides to help newbies to approach Secureblue and understand why this is not required?

In my mind if an app doesn't work it's mostly because it hasn't enough system privileges so I would try sudo so run0 and see the message in this case.

you should never run apps with sudo, run0, or root. This has been communicated to you many times.

approach Secureblue and understand why this is not required?

again

it has literally nothing to do with secureblue

zero.

it is general knowledge

it applies even on windows

that you shouldn't run every application as administrator

or any application for that matter

unless it's explicitly required for good reason

this is a basic principle of computer usage

not specific to any operating system let alone linux or secureblue

Good to know:) on pentasting os it is a must

In my mind if an app doesn't work it's mostly because it hasn't enough system privileges so I would try sudo so run0 and see the message in this case.

You should eliminate this habit

It is not, and there is no such thing as a pentesting OS

Even Kali does not give you a root account by default anymore

Kali is a meme.

https://en.wikipedia.org/wiki/Principle_of_least_privilege

@leaden hazel You seem interested in pentesting/offsec, but I strongly recommend you learn the basics of defensive security and security fundamentals

You're interested in offsec but then have a disregard for security basics

it seems contradictory

I'm struggling to understand what attracted you to secureblue in the first place 😅

I opened a request there as well yes

@leaden hazel running stuff as root/sudo/run0 nukes the entire permissions model

It'd be like driving around a tank, but then leaving the door unlocked and the key in the ignition when not using it

what was the point of getting such a secure vehicle in the first place if you're just going to leave it unlocked and the key in the ignition at all times?

it's contradictory

@leaden hazel or think of it from an offsec perspective. if you were pentesting a service, would you prefer it to be running unprivileged? or as root?

root 🙂

so that if you compromised the service you'd have carte blanche permissions

ergo every process at every time should be running with as few permissions as possible

They would say it's Secureblue fault if their software doesn't work, and that they have not time to make changes for us.

So if we say it is their fault and they say it is not and we are too strict + we don't publicly (thought some reverse engineering, software analysis and public articles/podcasts communication ways) condemn bad security lacks of these softwares... Well user experience will continue to be very poor until these software will see a lot of people using Secureblue so adapt to good security standards or simply wait years before to update to something safer just because they want to do it without considering us at all.

In all this I see a big loser and it is the not technical user who try the Os, say it is instable and goes away without even knowing anything.

They would say it's Secureblue fault if their software doesn't work, and that they have not time to make changes for us.

The only case where this is true is for the user namespaces toggle, which is already documented.

Please read this https://secureblue.dev/faq#upstream

If we were only making changes that didn't break someone's use case out of the box, we would just upstream everything to Fedora and secureblue wouldn't exist

Related to what? Sorry I lost myself on this

you said people are spreading misinfo about secureblue

also @leaden hazel the one point of yours I agree with is that we could spell out more concretely what kinds of apps need unprivileged userns

https://github.com/secureblue/secureblue.dev/issues/172

so we'll add that to the site

but generally speaking in my experience, the type of user to get frustrated and give up quickly is also the type of user who wouldn't read the FAQ thoroughly

So I'm not sure how much it will help

I agree and at the same time I would also help common not expert users to easily find an answer on our website (waiting for a fix). Yeah we have different ideas on this aha

Why can't they just search the discord? The website is intentionally not a support forum

Oh yes my friends who used it. They didn't have the patience to understand why it wasn't possible to install some apps. They tried some apps from the store plus outside from what I understood and it didn't work. So now they say that Srcureblue is unstable and that's not even possible to install basic software. When the reality is way different.

Absolutely, it would be a great idea

my question was a curiosity about where they're spreading misinfo

not what

True, for bubblejail another dev immediately recognised the error I made (still have to analyse it carefully but should be relates to Wayland). Now for her it was so easy, I honestly read the error that was speaking about graphic and I didn't have any knowledge of x11 and Wayland.

This is why I asked to sort errors per app so it would be maybe easier to find something similar in an easy and ordered way.

immediately recognised the error I made

if they didn't call out that you were running everything as root, I somewhat doubt that 🙂

since that's the first issue

This is why I asked to sort errors per app so it would be maybe easier to find something similar in an easy and ordered way.

No, Brave requiring X11 in 2025 is a decision on their part. We're not going to maintain a list of applications that haven't migrated to wayland.

It is my first time on discord to solve problems aha. I'm not sure if my friends made a research. I'll ask them.

There are already sites like https://arewewaylandyet.com/ for that

With other friends

oh, lol

I would prefer a brave Sexureblue that goes against who does not adopt public security and spread these necessary info to push software developers.

I have no idea what this means

secureblue is project building an operating system

this isn't an awareness or advocacy project

I see, I like who spreads the values also in other ways and not just technically (so developing an Os)

Tor has done a lot to spread awareness also with live events In the past

And I am politely declining 🙂

we already are spreading awareness of security holes in desktop linux in the project existing in the first place

which is well documented already

if you want an organization to exist that documents security anti-patterns in desktop linux, go create one 🙂

Yeah I like political projects who attack who goes against. Also excellent marketing measure.

Okay well that's not the purpose of the project 🙂

Clear

We will gently correct incorrect information when needed

Linux and software in this case would be the target

This is not a media project

We're building bootc images

🙂

Thank you for the conversion, a lot of points to study. I think some of these problems will come back in the future when more not expert users will start using (hopefully) Secureblue.

GrapheneOs is a very good example of project that is strong in many of the points I mentioned

I have already respectfully declined your request.

I'm taking the relevant parts of your points and applying them: https://github.com/secureblue/secureblue.dev/pull/173

Yes no problem

Let me know if these would have been helpful notes for you

Do you think it could be helpful if I try Secureblue on different VM with some setups that you are curious to experiment to see the os reaction?

Please let me know of it could be helpful so I can give some data of errors or problems back to someone

I'm not sure what you mean by

"setups"

and

"experiment to see the os reaction"

if you're interested in testing upcoming changes, there's the #testing channel

right now we're testing aarch64 builds

Oki

what did you mean though

Run VM simulating some types of CPU GPU ram power etc, I'm not quite familiar with this but I think it could be a great contribute to test machines that in the future could have Secureblue

I think there are some VM that permit to have a certain type of flexibility with parameter settings

we have integration tests that run daily:

https://github.com/secureblue/secureblue/tree/live/.github/workflows/integration_tests

using https://github.com/secureblue/bootc-integration-test-action

if you want to contribute to the integration testing, please do!

all you need is bash scripting knowledge

if you have ideas about new integration tests before you start on them, run them by #dev

Thank you I can try to give it a read and a try to see how much I can bring with my limited knowledge. Thank you again

np

@leaden hazel btw here is the staging site with the new changes:

https://usernsnote.secureblue.pages.dev/faq#unconfined-userns
https://usernsnote.secureblue.pages.dev/faq#xwayland

let me know if it's more useful