Even if that is the case, if SELinux is too hard to mortals to write, then that theoretic advantage doesn’t help.
Yes. Only a first step. Would require something like ELF signature check.
Fatalism.
Similarly it can be argued it’s a waste to build on top of Android: [2]
- Android isn’t “real” Open Source. ASOP may be technically Open Source but the behavior is unique and not Open Source alike at all.
- I don’t have time to make that argument, but the following articles kinda do it while I don’t agree with all they say.
- Google’s iron grip on Android: Controlling open source by any means necessary | Ars Technica
- They don’t act Open Sourcey as they don’t publish their git master branch. After X time there’s a huge dump of new code.
- Developed by a company, Google that is one of the biggest violators of privacy ever, among other evil behavior.
But he’s building GrapheneOS on top of Android anyhow.
I don’t think there’s any base Linux distribution suitable for Whonix to build on top of:
Notes here:
Replacing Debian might be worthwhile if there is any distribution that has:
- verified boot (full)
- is stateless
- security-focused
- no other criteria making it unsuitable
[1] I would like to build a space ship, explore the universe, make peaceful contact with other space traveling specifies should they exist. But currently doesn’t look realistic.
Requires a base distribution which does that.
systemd CVE’s don’t look so bad. Not judging by numbers but by issues if they were an actual issue for Whonix. Doesn’t look so bad. More so when limiting it to the core of systemd.
systemd support tons of security features in a usable way such as seccomp, capabilities, limits, private-tmp, private devices, read-only directories, and whatnot.
Unless there’s something really better then systemd (which I doubt) and/or resources to port to it, Whonix is settled with systemd. This is strongly related to the base distribution issue. If there was a more secure base distribution that decided not to use systemd and had something else, then this might be doable.
Same as [1]. Basically, re-base on Android? I am not convinced of Android due to [2].