I think this topic is important enough it deserves it’s ow thread.
A bit of background info:
- Yves-Alexis Perez is one of Debian’s major sec engineers.
- ANSSI is the French COMSEC department so not a spook outfit.
- CLIP OS is their hardened distro work where it may be beneficial to use or cherry pick as much stuff as possible.
They make use of this most active hardened linux fork: https://github.com/anthraxx/linux-hardened
They are working on upstreaming of patchsets like stackleak and lockdown and are using LSMs like Landlock. Until then the work is integrated into their fork of the kernel among other enhancements not mentioned here.