I don't get your frustration towards an actual working secure boot setup in Fedora. The fact that you can't just load any random unsigned kernel module is exactly what secure boot should be doing. If you can just load a random module in openSUSE, then I would be worried. It's like saying that the firewall of system X is better, because it doesn't block traffic so it doesn't get in the way :)
The rolling release model that provides stable updates
This is false. Rolling release is by default not stable. The definition of stable is not that it's free of bugs (impossible), but a stable API and ABI. By nature a rolling release doesn't have that.
The default installation installs many bloatware without a clear menu to opt out.
I agree on this one. And the mascot is cool. I would also add that it's a European based distribution (sure, the community is international, but on legal grounds they are European).
It's also cool you can enable SELinux. Also, Aeon looks nice. But it's not as advanced as Silverblue yet. And seeing the comments from the main devs, it's not their goal to compete with Silverblue either.
The fact that you can't just load any random unsigned kernel module is exactly what secure boot should be doing.
At least, on openSUSE and Ubuntu, we use modprobe to load any unsigned kernel module. Any modprobe security issue had been fixed since 2003 on Linux 2.4.21, see here. Therefore, I don't think I would want to limit myself to Fedora because of this reason.
Rolling release is by default not stable.
Stable for me as a user is that I get to use all the stable version of the software, drivers, etc. without any hassle. openSUSE Tumbleweed doesn't release alpha, beta, or release candidate software to the users.
Fedora, on the other hand, is a point releases distro but still updating their kernel regularly, which is the main part of the system for any issue to occur. Therefore, while you get the same level of system stability with any rolling release distro on Fedora, your packages are locked to the old version for no reason. Moreover, Fedora doesn't have any snapshot and rollback system out of the box. So, if things go wrong on Fedora, you might need a system re-install, which is almost never happen on openSUSE.
Your reply makes me wonder if you understand why secure boot exists and what it's suppose to protect you from. I also don't see what this modprobe fix has to do with it, which also predates secure boot. You shouldn't be able to sign your own stuff either (without breaking the chain of trust). If you would then that would be a huge security issue and negates the purpose of secure boot if a malicious person can just sign stuff him/herself.
Usually you can just install the signed drivers from the Fedora repository. And you know this as well, someone already pointed this out to you in the comment section in your blog about Fedora. The module you needed could simply be installed with sudo dnf install kmod-v4l2loopback. So it's a non-issue and you didn't even include this fact in your review about openSUSE. So please, update this review, it gives a false evaluation (in bad faith).
Stable for me as a user is that I get to use all the stable version of the software
Stable means that your API and ABI won't change, so things will be predictable and, stable. This is the true definition, your personal definition is not the same. Fedora package maintainers may update software with major releases, as long as it doesn't break API and ABI compatibility, hence the kernel version changes. I maintain several Fedora packages, neofetch for example can be updated to a major release because it's still the same POSIX compliant script and if no breaking changes exist in config files, it's fine to introduce it.
Tumbleweed on the other hand can introduce breaking changes, because it's a rolling release. That's why it's by definition not stable. It may have a stable user experience due to the health checks and openQA. But that's not in the same league as Debian/Fedora releases where you have guaranteed stable API and ABI compatibility within a release.
Moreover, Fedora doesn't have any snapshot and rollback system out of the box.
Have a look at Silverblue and how rpm-ostree works. It's more advanced than snapper, check rpm-ostree --help to see what you can do with it. It's da futaahhh.
I won't update my review unless I can modprobe on Fedora. You should also know from the comment in my blog about Fedora that I don't want to depend on anyone to maintain the packages for me (and for how long they maintain, and how fast they deliver that packages, etc.). If things should work from the official repo through modprobe, then it should work. And it's not about any specific package either. It's about a roadblock from this limitation that I might see in the future.
I don't write review in bad faith.
I am always looking at Silverblue, Aeon, or any immutable OS for that matter. But they are much harder to work with and less compatible to many software currently. I think, until Flatpak and Distrobox work very well with all the apps that I use in my workflow, I don't think I will ever recommend any immutable OS for little to no gain in security and rollback ability.
Thanks for maintaining several packages on Fedora ❤️
I won't update my review unless I can modprobe on Fedora.
With secure boot on you can't do that and that's what it's suppose to do. Secure boot only allows properly signed drivers to be loaded. Unless you break the chain of trust by installing your own key into your system, then you can modprobe your own stuff. But without the chain of trust the signing processes is simply weakened/useless. Fedora implemented secure boot as it should. I doubt you can modprobe randomly built modules in other distributions. If you can, then again, I would be worried.
The example you still use is about a situation that can easily be fixed with a Fedora signed kernel module you can pull in with a DNF command. So there is nothing to complain about. That combined with the fact that secure boot is suppose to prevent you from loading unsigned stuff makes the review kinda bad. Especially for those unfamiliar with these topics.
Also don't forget you can do dnf history undo last in Fedora to undo the last RPM transaction, or any of them listed in dnf history. It's not the same as a BTRFS snapshot, but at least it's portable throughout filesystems. I find Silverblue great and also non-techy people can work with it as they use it as a Chromebook-style workflow.
I don't know what you're talking about. I always have secure boot enabled, and I can modprobe on openSUSE and Ubuntu without any issue, as explained in my review. I will not trade a 1-sec solution for any messy one on Fedora. If modprobe any unsigned kernel module is such a security issue (which it isn't), you might not want to load that module in the first place, since you don't trust the module itself.
The same goes true for the snapshot and rollback system. I won't trade a well-established system on openSUSE for any half-baked one on Fedora. And I don't want to limit my workflow with any immutable OS either.
Fedora is like a test bed for RH but without the underlying system to save the users if things go wrong. The users need to resort to the immutable version of their OS just to fix one issue while creating tons of new issues in the process. Therefore, I really can't recommend Fedora to anyone who wants to work on their PC, as it is the worst in terms of usability.
you might not want to load that module in the first place, since you don't trust the module itself.
Exactly, and that's why you have secure boot, to protect you from untrusted software.
If modprobe any unsigned kernel module is such a security issue (which it isn't)
The kernel runs in ring 0, the most privileged tier of your system. So yes, modprobe is a dangerous thing with untrusted software. And if your system is compromised and someone has automated a modprobe in a cron, startup script or whatever to gain ring 0 control then you are F'ed. Such a thing is hard to detect and is the perfect place to hide a rootkit.
I won't trade a well-established system on openSUSE for any half-baked one on Fedora
What if you need a different filesystem than BTRFS? It's not a one size fits all filesystem, e.g. performance isn't the best with that filesystem. It's an awesome solution, but it isn't portable.
Fedora is like a test bed for RH but without the underlying system to save the users if things go wrong
I already explained to you that Fedora has a stable API and ABI, because it's not a rolling release. And Fedora also has an extensive QA. Furthermore, if things do go wrong, you can do dnf history undo last if you have a faulty update transaction. Or just rollback that single package and pin the version until it's fixed. While you can use whatever filesystem you want or need for your workflow. rpm-ostree based systems are more powerful in that regard, but aren't a requirement. It is the future though.
I really can't recommend Fedora to anyone who wants to work on their PC, as it is the worst in terms of usability.
My parents and partner use Fedora. They cannot break it and it always works for them. I use Fedora professionally for almost 10 years, I haven't encountered any issues so far. Linus Torvalds also uses Fedora, not that he's of any authority to base your distribution choice on. But it does put your comment in perspective, you can for sure work on a Fedora system, definitely not "the worst in terms of usability".
Please, read up on secure boot and update your review. Maybe even experiment a bit with malicious kernel modules to see what I mean. And if not, then I hope people read the comment section. Take care!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
I don't get your frustration towards an actual working secure boot setup in Fedora. The fact that you can't just load any random unsigned kernel module is exactly what secure boot should be doing. If you can just load a random module in openSUSE, then I would be worried. It's like saying that the firewall of system X is better, because it doesn't block traffic so it doesn't get in the way :)
This is false. Rolling release is by default not stable. The definition of stable is not that it's free of bugs (impossible), but a stable API and ABI. By nature a rolling release doesn't have that.
I agree on this one. And the mascot is cool. I would also add that it's a European based distribution (sure, the community is international, but on legal grounds they are European).
It's also cool you can enable SELinux. Also, Aeon looks nice. But it's not as advanced as Silverblue yet. And seeing the comments from the main devs, it's not their goal to compete with Silverblue either.
At least, on openSUSE and Ubuntu, we use
modprobeto load any unsigned kernel module. Anymodprobesecurity issue had been fixed since 2003 on Linux 2.4.21, see here. Therefore, I don't think I would want to limit myself to Fedora because of this reason.Stable for me as a user is that I get to use all the stable version of the software, drivers, etc. without any hassle. openSUSE Tumbleweed doesn't release alpha, beta, or release candidate software to the users.
Fedora, on the other hand, is a point releases distro but still updating their kernel regularly, which is the main part of the system for any issue to occur. Therefore, while you get the same level of system stability with any rolling release distro on Fedora, your packages are locked to the old version for no reason. Moreover, Fedora doesn't have any snapshot and rollback system out of the box. So, if things go wrong on Fedora, you might need a system re-install, which is almost never happen on openSUSE.
Your reply makes me wonder if you understand why secure boot exists and what it's suppose to protect you from. I also don't see what this modprobe fix has to do with it, which also predates secure boot. You shouldn't be able to sign your own stuff either (without breaking the chain of trust). If you would then that would be a huge security issue and negates the purpose of secure boot if a malicious person can just sign stuff him/herself.
Usually you can just install the signed drivers from the Fedora repository. And you know this as well, someone already pointed this out to you in the comment section in your blog about Fedora. The module you needed could simply be installed with
sudo dnf install kmod-v4l2loopback. So it's a non-issue and you didn't even include this fact in your review about openSUSE. So please, update this review, it gives a false evaluation (in bad faith).Stable means that your API and ABI won't change, so things will be predictable and, stable. This is the true definition, your personal definition is not the same. Fedora package maintainers may update software with major releases, as long as it doesn't break API and ABI compatibility, hence the kernel version changes. I maintain several Fedora packages, neofetch for example can be updated to a major release because it's still the same POSIX compliant script and if no breaking changes exist in config files, it's fine to introduce it.
Tumbleweed on the other hand can introduce breaking changes, because it's a rolling release. That's why it's by definition not stable. It may have a stable user experience due to the health checks and openQA. But that's not in the same league as Debian/Fedora releases where you have guaranteed stable API and ABI compatibility within a release.
Have a look at Silverblue and how
rpm-ostreeworks. It's more advanced thansnapper, checkrpm-ostree --helpto see what you can do with it. It's da futaahhh.I won't update my review unless I can
modprobeon Fedora. You should also know from the comment in my blog about Fedora that I don't want to depend on anyone to maintain the packages for me (and for how long they maintain, and how fast they deliver that packages, etc.). If things should work from the official repo throughmodprobe, then it should work. And it's not about any specific package either. It's about a roadblock from this limitation that I might see in the future.I don't write review in bad faith.
I am always looking at Silverblue, Aeon, or any immutable OS for that matter. But they are much harder to work with and less compatible to many software currently. I think, until Flatpak and Distrobox work very well with all the apps that I use in my workflow, I don't think I will ever recommend any immutable OS for little to no gain in security and rollback ability.
Thanks for maintaining several packages on Fedora ❤️
With secure boot on you can't do that and that's what it's suppose to do. Secure boot only allows properly signed drivers to be loaded. Unless you break the chain of trust by installing your own key into your system, then you can modprobe your own stuff. But without the chain of trust the signing processes is simply weakened/useless. Fedora implemented secure boot as it should. I doubt you can modprobe randomly built modules in other distributions. If you can, then again, I would be worried.
The example you still use is about a situation that can easily be fixed with a Fedora signed kernel module you can pull in with a DNF command. So there is nothing to complain about. That combined with the fact that secure boot is suppose to prevent you from loading unsigned stuff makes the review kinda bad. Especially for those unfamiliar with these topics.
Also don't forget you can do
dnf history undo lastin Fedora to undo the last RPM transaction, or any of them listed indnf history. It's not the same as a BTRFS snapshot, but at least it's portable throughout filesystems. I find Silverblue great and also non-techy people can work with it as they use it as a Chromebook-style workflow.I don't know what you're talking about. I always have secure boot enabled, and I can
modprobeon openSUSE and Ubuntu without any issue, as explained in my review. I will not trade a 1-sec solution for any messy one on Fedora. Ifmodprobeany unsigned kernel module is such a security issue (which it isn't), you might not want to load that module in the first place, since you don't trust the module itself.The same goes true for the snapshot and rollback system. I won't trade a well-established system on openSUSE for any half-baked one on Fedora. And I don't want to limit my workflow with any immutable OS either.
Fedora is like a test bed for RH but without the underlying system to save the users if things go wrong. The users need to resort to the immutable version of their OS just to fix one issue while creating tons of new issues in the process. Therefore, I really can't recommend Fedora to anyone who wants to work on their PC, as it is the worst in terms of usability.
Exactly, and that's why you have secure boot, to protect you from untrusted software.
The kernel runs in ring 0, the most privileged tier of your system. So yes,
modprobeis a dangerous thing with untrusted software. And if your system is compromised and someone has automated amodprobein a cron, startup script or whatever to gain ring 0 control then you are F'ed. Such a thing is hard to detect and is the perfect place to hide a rootkit.What if you need a different filesystem than BTRFS? It's not a one size fits all filesystem, e.g. performance isn't the best with that filesystem. It's an awesome solution, but it isn't portable.
I already explained to you that Fedora has a stable API and ABI, because it's not a rolling release. And Fedora also has an extensive QA. Furthermore, if things do go wrong, you can do
dnf history undo lastif you have a faulty update transaction. Or just rollback that single package and pin the version until it's fixed. While you can use whatever filesystem you want or need for your workflow. rpm-ostree based systems are more powerful in that regard, but aren't a requirement. It is the future though.My parents and partner use Fedora. They cannot break it and it always works for them. I use Fedora professionally for almost 10 years, I haven't encountered any issues so far. Linus Torvalds also uses Fedora, not that he's of any authority to base your distribution choice on. But it does put your comment in perspective, you can for sure work on a Fedora system, definitely not "the worst in terms of usability".
Please, read up on secure boot and update your review. Maybe even experiment a bit with malicious kernel modules to see what I mean. And if not, then I hope people read the comment section. Take care!