שולחן עבודה/מחשב אישי
Protects against the following threat(s):
הפצות לינוקס מומלצות בדרך כלל להגנה על פרטיות וחופש תוכנה. אם אינך משתמש עדיין בלינוקס, להלן כמה הפצות שאנו מציעים לנסות, כמו גם כמה טיפים כלליים לשיפור פרטיות ואבטחה החלים על הפצות לינוקס רבות.
הפצות מסורתיות
Fedora Workstation
Fedora Workstation is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies (e.g., Wayland and PipeWire) before other distributions. טכנולוגיות חדשות אלה מגיעות לעתים קרובות עם שיפורים באבטחה, בפרטיות ובשימושיות באופן כללי.
לFedora יש מהדורת שחרור מתגלגל-למחצה. While some packages like GNOME are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. כל גרסה של פדורה נתמכת למשך שנה אחת, עם גרסה חדשה ששוחררה כל שישה חודשים.
openSUSE Tumbleweed
openSUSE Tumbleweed היא הפצת שחרור מתגלגלת יציבה.
openSUSE Tumbleweed uses Btrfs and Snapper to ensure that snapshots can be rolled back should there be a problem.
Tumbleweed עוקב אחר מודל מהדורה מתגלגל שבו כל עדכון משוחרר כתמונת מצב של ההפצה. בעת שדרוג המערכת, מתבצעת הורדה של תמונת מצב חדשה. כל תמונת מצב מנוהלת באמצעות סדרה של בדיקות אוטומטיות על ידי openQA כדי להבטיח את איכותה.
Arch Linux
Arch Linux is a lightweight, do-it-yourself (DIY) distribution, meaning that you only get what you install. לקבלת מידע נוסף, עיין בFAQ.
ל - Arch Linux יש מחזור שחרור מתגלגל. אין לוח זמנים שחרור קבוע וחבילות מתעדכנות לעתים קרובות מאוד.
להיות התפלגות DIY, אתה צפוי להגדיר ולתחזק המערכת שלך בעצמך. יש Arch מתקין רשמי כדי להפוך את תהליך ההתקנה קצת יותר קל.
A large portion of Arch Linux’s packages are reproducible1.
Atomic Distributions
Atomic distributions (sometimes also referred to as immutable distributions) are operating systems which handle package installation and updates by layering changes atop your core system image, rather than by directly modifying the system. Advantages of atomic distros include increased stability and the ability to easily roll back updates. See Traditional vs. Atomic Updates for more info.
Fedora Atomic Desktops
Fedora Atomic Desktops are variants of Fedora which use the rpm-ostree package manager and have a strong focus on containerized workflows and Flatpak for desktop applications. All of these variants follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.
Fedora Atomic Desktops come in a variety of flavors depending on the desktop environment you prefer. As with the recommendation to avoid X11 in our criteria for Linux distributions, we recommend avoiding flavors that support only the legacy X11 window system.
These operating systems differ from Fedora Workstation as they replace the DNF package manager with a much more advanced alternative called rpm-ostree. The rpm-ostree package manager works by downloading a base image for the system, then overlaying packages over it in a git-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.
After the update is complete, you will reboot the system into the new deployment. rpm-ostree keeps two deployments of the system so that you can easily roll back if something breaks in the new deployment. There is also the option to pin more deployments as needed.
Flatpak is the primary package installation method on these distributions, as rpm-ostree is only meant to overlay packages that cannot stay inside a container on top of the base image.
As an alternative to Flatpaks, there is the option of Toolbx to create Podman containers which mimic a traditional Fedora environment, a useful feature for the discerning developer. These containers share a home directory with the host operating system.
NixOS
NixOS’s package manager keeps every version of every package in a different folder in the Nix store. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.
NixOS also provides atomic updates. It first downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation: you can tell NixOS to activate it after reboot, or you can switch to it at runtime. You can also test the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.
The Nix package manager uses a purely functional language—which is also called Nix—to define packages.
Nixpkgs (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config.
Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed pure environment, which is as independent of the host system as possible. Binaries built with this method are reproducible1.
הפצות ממוקדות אנונימיות
Whonix
Whonix מבוסס על Kicksecure, נגזר ממוקד אבטחה של דביאן. It aims to provide privacy, security, and Anonymity on the internet. כדאי להשתמש ב - Whonix בשילוב עם Qubes OS.
Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden.
Some of its features include Tor Stream Isolation, keystroke anonymization, encrypted swap, and a hardened memory allocator. Future versions of Whonix will likely include full system AppArmor policies and a sandboxed app launcher to fully confine all processes on the system.
Whonix is best used in conjunction with Qubes. We have a recommended guide on configuring Whonix in conjunction with a VPN ProxyVM in Qubes to hide your Tor activities from your ISP.
Tails
Tails היא מערכת הפעלה חיה המבוססת על דביאן המנתבת את כל התקשורת דרך Tor, שיכולה לאתחל כמעט כל מחשב מ - DVD, מקל USB או התקנת כרטיס SD. It uses Tor to preserve privacy and Anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off.
Warning
Tails doesn't erase the video memory when shutting down. When you restart your computer after using Tails, it might briefly display the last screen that was displayed in Tails. If you shut down your computer instead of restarting it, the video memory will erase itself automatically after being unpowered for some time.
Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy, allowing for the user to be deanonymized.
Tails includes uBlock Origin in Tor Browser by default, which may potentially make it easier for adversaries to fingerprint Tails users. Whonix virtual machines may be more leak-proof, however they are not amnesic, meaning data may be recovered from your storage device.
By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data between reboots.
הפצות ממוקדות אבטחה
Protects against the following threat(s):
Qubes OS
Qubes OS היא מערכת הפעלה בקוד פתוח שנועדה לספק אבטחה חזקה עבור מחשוב שולחני באמצעות מכונות וירטואליות מאובטחות (או "qubes"). Qubes מבוסס על Xen, מערכת חלונות X ו- Linux. זה יכול להריץ את רוב יישומי לינוקס ולהשתמש ברוב מנהלי ההתקנים של לינוקס.
Qubes OS secures the computer by isolating subsystems (e.g., networking, USB, etc.) and applications in separate qubes. Should one part of the system be compromised via an exploit in a Targeted Attack, the extra isolation is likely to protect the rest of the qubes and the core system.
For further information about how Qubes works, read our full Qubes OS overview page.
Secureblue
Secureblue is a security-focused operating system based on Fedora Atomic Desktops. It includes a number of security features intended to proactively defend against the exploitation of both known and unknown vulnerabilities, and ships with Trivalent, their hardened, Chromium-based web browser.
Trivalent is Secureblue's hardened Chromium for desktop Linux inspired by GrapheneOS's Vanadium browser.
Secureblue also provides GrapheneOS's hardened memory allocator and enables it globally (including for Flatpaks).
Kicksecure
While we recommend against "perpetually outdated" distributions like Debian for desktop use in most cases, Kicksecure is a Debian-based operating system which has been hardened to be much more than a typical Linux install.
Kicksecure - במונחים פשוטים מדי - היא קבוצה של סקריפטים, תצורות וחבילות שמצמצמות באופן משמעותי את משטח ההתקפה של דביאן. זה מכסה הרבה המלצות לפרטיות והקשחה כברירת מחדל. הוא משמש גם כמערכת ההפעלה הבסיסית עבור Whonix.
קריטריונים
Choosing a Linux distro that is right for you will come down to a huge variety of personal preferences, and this page is not meant to be an exhaustive list of every viable distribution. Our Linux overview page has some advice on choosing a distro in more detail. The distros on this page do all generally follow the guidelines we covered there, and all meet these standards:
- Free and open source.
- מקבל עדכוני תוכנה וליבה קבועים.
- Avoids X11, as its last major release was more than a decade ago.
- The notable exception here is Qubes, but the isolation issues which X11 typically has are avoided by virtualization. This isolation only applies to apps running in different qubes (virtual machines); apps running in the same qube are not protected from each other.
- תומך בהצפנת דיסק מלא במהלך ההתקנה.
- לא מקפיא מהדורות רגילות במשך יותר משנה.
- אנו ממליצים נגד הפצות "תמיכה לטווח ארוך" או "יציבות" לשימוש בשולחן העבודה.
- תומך במגוון רחב של חומרה.
- העדפה לפרויקטים גדולים יותר.
- שמירה על מערכת הפעלה היא אתגר מרכזי, ולפרויקטים קטנים יותר יש נטייה לטעויות נמנעות יותר, או לעכב עדכונים קריטיים (או גרוע מכך, להיעלם לחלוטין). אנו נשענים לעבר פרויקטים אשר ככל הנראה יהיו בערך 10 שנים מהיום (בין אם זה נובע מגיבוי תאגידי או תמיכה קהילתית משמעותית מאוד), והרחק מפרויקטים שנבנו בעבודת יד או שיש להם מספר מצומצם של מתחזקים.
In addition, our standard criteria for recommended projects still applies. Please note we are not affiliated with any of the projects we recommend.
-
Reproducibility entails the ability to verify that packages and binaries made available to the end user match the source code, which can be useful against potential Supply Chain Attacks. ↩↩
אתה צופה בעותק העברי של מדריכי הפרטיות, שתורגם על ידי צוות השפה הפנטסטי שלנו ב- Crowdin. אם אתה מבחין בשגיאה, או רואה קטעים לא מתורגמים בדף זה, אנא שקול לעזור! בקרו ב-Crowdin
You're viewing the עברית copy of Privacy Guides, translated by our fantastic language team on Crowdin. If you notice an error, or see any untranslated sections on this page, please consider helping out!