SecureBlue is currently the most secure and privacy respecting Linux based desktop operating system out there. Yes, SecureBlue is significantly more secure than KickSecure. I will cover in what ways.
I believe QubesOS to be more secure on pretty much all fronts, but QubesOS is not a Linux based desktop operating system. I also believe Whonix, which is based on KickSecure, has better security and privacy properties than SecureBlue, but it is a special purpose operating system, and not a regular Linux desktop operating system.
I doubt that to be true. It is hard to do worse than Debian, and KickSecure’s goal is very expressively to do better than Debian on all fronts. I also doubt GrapheneOS developers have said this, since they never speak without having merits to what they say. A reference to where this was stated would be welcome.
Yes, and yes.
Relevant ticket filed by one of the QubesOS developers:
The whole Fedora vs Debian debate pretty much comes down to Fedora being far better at getting security updates out fast while Debian is notably slower, but that Debian offers reproducible builds to verify trust which Fedora does not.
Some security focused operating systems prefer quick security updates, and pick Fedora. Others prefer the perceived increased trust that Debian offers. Ideally though, Fedora would have reproducible builds too, or Debian would improve their security posture.
What makes you say that? What of everything they are doing appears shady to you? The developers are very active in the privacy community, and they have resolved many security and privacy issues that KickSecure hasn’t, so appears very competent too. Nothing with SecureBlue appears shady to me.
This is actually not true. The whole thing with Whonix is the gateway-workstation separation using virtual machines. That is what the security in Whonix relies on, and that is a very strong isolation that provides very tangible security and privacy guarantees. KickSecure itself is a very modest improvement over Debian, and it lacks that separation.
One big security and privacy improvement of SecureBlue over KickSecure is that SecureBlue has the Trivalent web browser, which is a Chromium based fork with the GrapheneOS patch series. This means SecureBlue comes with a security and privacy hardened web browser with all telemetry patched out by default. This is significant. KickSecure in the meantime comes with Firefox, without any specific hardenings applied, and with all the very privacy invasive telemetry still enabled.
Here is a ticket about KickSecure’s failure to deal with the web browser situation as of yet:
There are also many tickets and forum posts talking about it on KickSecure’s ticket tracker and forum.
Another big security and privacy improvement in SecureBlue over KickSecure is that SecureBlue comes with an app sandbox, Flatpak. This allows containing each app by default, so it cannot access your files or other apps’ data even if compromised. This is significant. KickSecure in the meantime has no such app sandboxing, and if a single app is compromised, that app gets read-write access to everything. Now, this security and privacy improvement is not super meaningful in the context of QubesOS, since QubesOS already offers a much stronger isolation between qubes, but running as a standalone desktop operating system, this is a huge security and privacy advantage of SecureBlue.
SecureBlue also contains all the same kinds of hardenings KickSecure has, such as no-suid, hardened kernel parameters, and so on, but also contains some additional security improvements, like the hardened_malloc project from GrapheneOS, which increases likelihood of stopping exploits in most apps. SecureBlue will also benefit from all the security work Fedora is doing right now in a few years, while KickSecure will miss out on that as Debian lack similar initiatives.
It is still worthwhile to mention that even if SecureBlue is the most secure and privacy respecting Linux desktop operating system out there right now, it is not anywhere near the level GrapheneOS is. It is also worth mentioning that the security improvements in SecureBlue does not matter as much in the context of QubesOS as it does when being run standalone, even if it still offers some additional hardening against exploits.