Looks really good already. I have to read more carefully, but I guess it will only be nitpicks from my side. You could also post the draft here: https://www.whonix.org/wiki/Fixing_the_Desktop_Linux_Security_Model
Could you please convert
security vulnerabilities [1]
to
Unless there is a reason not to do this?
or both
I guess both ([number] style + forum links) would be good to - because then this can be re-posted on mailing lists.
tirdad is a kernel module that aims to prevent TCP Initial Sequence Number (ISN) based information leaks by randomizing the TCP ISNs [6]. This is more of anonymity feature than a security feature.
Did you see this security argument here?
Could you please mention maybe SAK, login spoofing, the mostly sudo security theater and how multiple boot modes for better security: persistent user | live user | persistent secureadmin | persistent superadmin | persistent recovery mode would fix that?
Worth mentioning all Upcoming Security Enhancements?
Untrusted Root User
deactivate malware after reboot from non-root compromise
Mount Options Hardening
Disable SUID Binaries
Whonix is a security, privacy and anonymity focused Linux distribution. Recently, we’ve been focusing a lot on important security hardening measures and fixing architectural security issues within the desktop Linux security model.
Could you please make more clear that any desktop Linux distribution is affected?