# Linux

Linux distributions are commonly recommended for privacy protection and software freedom.

If you don't already use Linux, below are some distributions we suggest trying out, as well as some general privacy and security improvement tips that are applicable to many Linux distributions.

### Fedora Workstation¶

Recommendation

Fedora Workstation is our recommended distribution for people new to Linux. Fedora generally adopts newer technologies before other distributions e.g., Wayland, PipeWire, and soon, FS-Verity. These new technologies often come with improvements in security, privacy, and usability in general.

Fedora has a semi-rolling release cycle. While some packages like GNOME are frozen until the next Fedora release, most packages (including the kernel) are updated frequently throughout the lifespan of the release. Each Fedora release is supported for one year, with a new version released every 6 months.

### openSUSE Tumbleweed¶

Recommendation

openSUSE Tumbleweed is a stable rolling release distribution.

openSUSE Tumbleweed has a transactional update system that uses Btrfs and Snapper to ensure that snapshots can be rolled back should there be a problem.

Tumbleweed follows a rolling release model where each update is released as a snapshot of the distribution. When you upgrade your system, a new snapshot is downloaded. Each snapshot is run through a series of automated tests by openQA to ensure its quality.

### Arch Linux¶

Recommendation

Arch Linux is a lightweight, do-it-yourself (DIY) distribution meaning that you only get what you install. For more information see their FAQ.

Arch Linux has a rolling release cycle. There is no fixed release schedule and packages are updated very frequently.

Being a DIY distribution, you are expected to set up and maintain your system on your own. Arch has an official installer to make the installation process a little easier.

A large portion of Arch Linux’s packages are reproducible.

## Immutable Distributions¶

### Fedora Silverblue¶

Recommendation

Fedora Silverblue and Fedora Kinoite are immutable variants of Fedora with a strong focus on container workflows. Silverblue comes with the GNOME desktop environment while Kinoite comes with KDE. Silverblue and Kinoite follow the same release schedule as Fedora Workstation, benefiting from the same fast updates and staying very close to upstream.

Silverblue (and Kinoite) differ from Fedora Workstation as they replace the DNF package manager with a much more advanced alternative called rpm-ostree. The rpm-ostree package manager works by downloading a base image for the system, then overlaying packages over it in a git-like commit tree. When the system is updated, a new base image is downloaded and the overlays will be applied to that new image.

After the update is complete you will reboot the system into the new deployment. rpm-ostree keeps two deployments of the system so that you can easily rollback if something breaks in the new deployment. There is also the option to pin more deployments as needed.

Flatpak is the primary package installation method on these distributions, as rpm-ostree is only meant to overlay packages that cannot stay inside of a container on top of the base image.

As an alternative to Flatpaks, there is the option of Toolbox to create Podman containers with a shared home directory with the host operating system and mimic a traditional Fedora environment, which is a useful feature for the discerning developer.

### NixOS¶

Recommendation

NixOS is an independent distribution based on the Nix package manager with a focus on reproducibility and reliability.

NixOS’s package manager keeps every version of every package in a different folder in the Nix store. Due to this you can have different versions of the same package installed on your system. After the package contents have been written to the folder, the folder is made read-only.

NixOS also provides atomic updates; first it downloads (or builds) the packages and files for the new system generation and then switches to it. There are different ways to switch to a new generation; you can tell NixOS to activate it after reboot or you can switch to it at runtime. You can also test the new generation by switching to it at runtime, but not setting it as the current system generation. If something in the update process breaks, you can just reboot and automatically and return to a working version of your system.

Nix the package manager uses a purely functional language - which is also called Nix - to define packages.

Nixpkgs (the main source of packages) are contained in a single GitHub repository. You can also define your own packages in the same language and then easily include them in your config.

Nix is a source-based package manager; if there’s no pre-built available in the binary cache, Nix will just build the package from source using its definition. It builds each package in a sandboxed pure environment, which is as independent of the host system as possible, thus making binaries reproducible.

## Anonymity-Focused Distributions¶

### Whonix¶

Recommendation

Whonix is based on Kicksecure, a security-focused fork of Debian. It aims to provide privacy, security, and anonymity on the internet. Whonix is best used in conjunction with Qubes OS.

Whonix is meant to run as two virtual machines: a “Workstation” and a Tor “Gateway.” All communications from the Workstation must go through the Tor gateway. This means that even if the Workstation is compromised by malware of some kind, the true IP address remains hidden.

Some of its features include Tor Stream Isolation, keystroke anonymization, encrypted swap, and a hardened memory allocator.

Future versions of Whonix will likely include full system AppArmor policies and a sandbox app launcher to fully confine all processes on the system.

Whonix is best used in conjunction with Qubes, Qubes-Whonix has various disadvantages when compared to other hypervisors.

### Tails¶

Recommendation

Tails is a live operating system based on Debian that routes all communications through Tor, which can boot on on almost any computer from a DVD, USB stick, or SD card installation. It uses Tor to preserve privacy and anonymity while circumventing censorship, and it leaves no trace of itself on the computer it is used on after it is powered off.

Tails is great for counter forensics due to amnesia (meaning nothing is written to the disk); however, it is not a hardened distribution like Whonix. It lacks many anonymity and security features that Whonix has and gets updated much less often (only once every six weeks). A Tails system that is compromised by malware may potentially bypass the transparent proxy allowing for the user to be deanonymized.

Tails also installs uBlock Origin in Tor Browser by default, which potentially makes it easier for adversaries to fingerprint Tails users, and increases the attack surface of the browser. For all of these reasons, if your only goal is to browse the internet anonymously, Tails is not as good of a choice as using Whonix with Qubes OS, which is much more secure and leakproof. If your goal is to use a computer without leaving any trace afterwards, Tails may be a good solution for you.

By design, Tails is meant to completely reset itself after each reboot. Encrypted persistent storage can be configured to store some data between reboots.