Windows #
My first experience with Windows came with Windows XP on the family computer, and from that point on, it became my go-to operating system. As someone deeply into gaming and building custom PCs, Windows always felt like the only real option.
There’s always talk of “the last good version of Windows” with opinions ranging from XP all the way to 10. Usually this just seems to boil down to “the last version of Windows that I personally used”. For me that was Windows 10.
The move away from Windows was a death by a thousand cuts. They were already on shaky ground when it came to privacy with the integration of advertisement IDs, Cortana, and locking telemetry control behind higher tiers or regional releases.
Not to mention the gradual implementation of advertisements—which required convoluted methods for disabling them—and the myriad of pre-installed applications that required extensive work-arounds for removal.
So while Windows 10 wasn’t perfect and certainly no bastion of privacy, Windows 11 turned the dial up to… 11:
- Windows 11 now requires a Microsoft account and is ‘removing known mechanisms for creating a local account’
- They dumbed down the context menu and require regedit changes to restore full functionality
- Requires TPM 2.0 as part of its hardware requirements for Bitlocker, but it’s susceptible to sniffing
- Enabled OneDrive backups without user consent
- Edge is now a core system app that cannot be uninstalled and forces users to interact with it
- The start menu is a sluggish resource hungry react native application
- Intense UI inconsistencies for system panels ranging from XP to now
- A sluggish file explorer, their solution is having it run as a background process 24/7
- Windows search is often broken, when it does work it shows internet results instead of your files, this behaviour can only be disabled with regedit
- Forced installation of Copilot that cannot be uninstalled
- Windows recall integration which screenshots your computer every few seconds, it was supposed to be enabled by default but now disabled after user backlash
- Intrusive Updates
- Liberal data collection policies they share with third parties, this is exasperated by usage of copilot, Edge, or a microsoft account. All things that are now either mandatory or impossible to install
It seems that not even Microsoft disagrees, as they’ve admitted that all of their core features are broken.
Microsoft #
Microsoft has a tough history with privacy outside of Windows as well:
- Settled for $20 million over allegations of violating children’s privacy laws 1
- Banned in German schools for privacy concerns
- “Sued for $3 Billion Over Alleged ChatGPT ‘Privacy Violations’”
- Participated in PRISM
macOS #
Security #
In the past, macOS benefited from security through obscurity; however, in the last decade, this advantage has diminished significantly, requiring more transparent and robust security measures. Apple has since responded by establishing a public bug bounty program and strengthening its security posture through layered protections:
- XProtect: Antivirus software that detects known malware.
- Malware Removal Toolkit (MRT): Works in conjunction with XProtect to eliminate identified malware.
- Gatekeeper: Tool that checks for app legitimacy, allowing trusted software to run while blocking untrusted apps from executing.
- Firewall: Application-based tool that blocks incoming network connections from potentially unwanted locations.
- Transparency, Consent and Control (TCC): A system of controls that provides end-user visibility into which resources are used by apps and services and requires consent to authorize their use upon the first launch.
- Read-only System Volume: Dedicated, read-only system volume that prevents overwriting or critical OS files.
- FileVault: Full disk encryption scheme that protects data through powerful encryption linked only to authorized users of that device.
— jamf
Privacy #
macOS is more private than Windows, though not without its own privacy issues similar to those in iOS. Under default settings, Apple has unencrypted access to all data stored in iCloud. Even if you choose to delete this data, it seems it wasn’t actually deleted—as seen in the case where deleted photos would reappear.
Apple was an enthusiastic supporter of bringing client-side scanning to their devices. Although this plan was later abandoned due to widespread backlash related to privacy concerns, their integration of Apple’s Intelligence reintroduces similar concerns.
Hardware #
Apple locks down its macOS devices in an expensive walled garden and remains incredibly hostile to the right to repair.
In 2023, Apple supported a California right to repair bill. Unfortunately, this only seemed to be part of a larger strategic maneuver, as they went back to testifying and lobbying against right to repair bills in the following years.
ChromeOS #
Security #
ChromeOS has very strong out-of-the-box security settings, often providing a comparative advantage over Windows and macOS. Note that these results apply specifically to ChromeOS, which is only available pre-installed on ChromeOS devices.
Not to be confused with the publicly available ChromeOS Flex. There’s a pretty big feature gap between the two, but ChromeOS flex retains the strengths of ChromeOS’s sandboxing model.
Privacy #
See DeGoogle.
Hardware #
All ChromeOS devices come with what’s called an Auto-Update Expiration date or AUE.
Once the AUE date arrives, your Chromebook will stop getting automatic software updates from Google; including security updates, bug fixes, and new features. The loss of updates will likely cause apps and browser extensions to stop working properly. You can still use a Chromebook past its AUE, but it won’t function as well as it used to.
— promevo
Devices purchased 2021 or after will have 10 years of updates before the AUE date arrives.
Qubes OS #
Qubes OS is a free and open-source, security-oriented operating system for single-user desktop computing. Qubes OS leverages Xen-based virtualization to allow for the creation and management of isolated compartments called qubes.
These qubes, which are implemented as virtual machines (VMs), have specific:
Purposes: with a predefined set of one or many isolated applications, for personal or professional projects, to manage the network stack, the firewall, or to fulfill other user-defined purposes.
Natures: full-fledged or stripped-down virtual machines based on popular operating systems, such as Fedora, Debian, and Windows.
Levels of trust: from complete to non-existent. All windows are displayed in a unified desktop environment with unforgeable colored window borders so that different security levels are easily identifiable.
— Qubes OS
Though designed for broad accessibility, its complex VM hierarchy will require an adjustment period for any new comer.
Security and Privacy #
If you're serious about security, @QubesOS is the best OS available today. It's what I use, and free. Nobody does VM isolation better. https://t.co/FyX5NX47cS
— Edward Snowden (@Snowden) September 29, 2016
There’s no formal research paper evaluating its security, but its security-by-isolation model has got the approval of this guy, so it must be doing something right.
Its strong virtualization sandboxing—which aims to addresses core desktop Linux vulnerabilities—combined with the lack of first party telemetry makes Qubes OS a very appealing choice for security and privacy.
If your primary concern is having the most private and secure FOSS OS possible, Qubes is for you.
Performance #
Qubes OS has high system requirements and substantial resource overhead from virtualization layers that can lead to up to 91% degradation in desktop graphics performance.
This leaves it an ill-suited candidate for computationally intense tasks like gaming, which is why I decided to give it a pass.
Linux #
Linux, as a term, primarily refers to the kernel, but has colloquially come to also be a catch all term for the operating systems built around it. However, “Linux” can differ drastically depending on the distribution (distro)—which vary wildly in goals, audiences, stability, security features, and user experience.
Because of this diversity, making generalized or categorical statements about “Linux” as an operating system is challenging and often misleading. As Linux gains popularity, it may benefit the community to treat each distribution as its own distinct entity rather than conflating them all under the kernel they share—respecting the unique design decisions and use cases of each distro.
For the purpose of this section when I say “Linux”, I am referring to a Linux as a desktop Linux distro, not as a kernel, server platform, or router software.
Security #
Similar to macOS, Linux has long benefited from security through obscurity. This has led to the false presumption that Linux is more secure than the alternatives; it is not.2
Despite these security drawbacks, it does not mean that Linux is unusable or even undesirable for everyday usage. Much of the low-hanging fruit can be addressed by selecting a mainline distro with a dedicated security team.3
However, these do not address Linux’s fundamental architectural shortcomings—a gap that hardened distros aim to bridge:
FOSS #
Another common misconception is that Linux distros are more secure simply because their code is open and auditable; however, source unavailability doesn’t imply insecurity, and source availability doesn’t imply security. The core techniques used in security analysis (like fuzzing and reverse engineering) are routinely applied to compiled binaries, regardless of source availability.
Privacy #
What Linux lacks in security, it makes up for in privacy with the absence of built-in telemetry from first-party providers—avoiding the extensive data collection present on other operating systems. While Linux’s relatively weaker security posture may render it more susceptible to third-party threats like malware or other applications, I am willing to make that trade-off to have a user-first operating system—especially since I plan on using my PC for gaming which is an inherently insecure hobby.
Anonymity #
There are two main distros focused on offering an anonymous experience:
Distros #
Dualbooting #
It is often recommended to dual-boot Linux with Windows. It seems like a reasonable proposition. You get easy access to both OSes that you can swap between whenever the need arises. Unfortunately this can often introduce more issues than it solves. Windows does not like sharing space with other OSes, and has caused issues for decades by corrupting Linux installs on the same drive. The most recent example of this took nearly 6 months to resolve.
If you want easy access to Windows, I’d recommend first trying Winboat or a VM. If you must dual-boot, do so using separate drives to sidestep these issues altogether.
Dedicated Security Teams #
- Debian: Debian Security Team
- Fedora: Red Hat Product Security and Fedora Security
- Covers all Editions, Spins, and Atomic Desktops
- OpenSUSE: SUSE Security
- Both Tumbleweed and Leap
- Ubuntu: Ubuntu Security
Many distros are built downstream of these mainline ones. They layer on custom first-party packages—sometimes entire desktop environment (DEs)—that lack dedicated security teams for CVE triage and patching. Attack surface can additionally be increased by their inclusion of community-maintained scripts and repos.
However, I don’t think this is an enormous issue. There are valid reasons to use a distro other than prioritizing security, and you’ll greatly improve your privacy and user freedom compared to proprietary OSes.
As long as you’re aware of the trade-offs you are making, I think it’s fine. Regardless of your choice of distro you can always do some additional hardening.
Arch, btw #
I’ve had a lot of fun with Arch. It’s probably the distro I’ve learned the most about Linux with. It’s a completely DIY fast-moving rolling distro. Its volunteer security team vets the core packages, but the community-run AUR doesn’t have any quality assurance (QA), so use responsibly. It really is what you make of it, but demands extensive system maintenance.
Linux Mint #
Like many, Linux Mint (LM) was my first real foray into the world of desktop Linux. It’s slick, stable, and a great jumping-off point for someone switching from Windows.
Linux Mint offers two main editions: the primary version based on Ubuntu, and the alternative Linux Mint Debian Edition (LMDE), which is built on Debian. Both are developed and maintained by the same Linux Mint team.
The project does not have a dedicated security team, but it inherits security-vetted packages from its upstream sources—Ubuntu packages/Debian packages. Linux Mint adds custom packages from its own repository, but I wasn’t able to find any public security policies for it.
The default DE for Linux Mint is the in-house developed Cinnamon. Unlike GNOME and KDE, however, it does not have a security team to vet it. In addition, its default session is X11, which suffers from numerous security issues. Wayland support is currently experimental, but they are working on adding full support.
I still consider Linux Mint a great distro and an excellent on-ramp for anyone trying Linux for the first time. Despite the security concerns, Cinnamon desktop delivers a familiar, Windows-like experience that lowers the learning curve significantly. Ultimately, it excels at delivering a tremendous increase in user freedom, privacy from first-party telemetry, and a polished GUI that provides full functionality without any command line usage.
NixOS #
NixOS is possibly the most unique Linux distribution I have come across. It’s a unique blend of declarative configurations, atomic transactions, and the Nix package manager.
The whole system is primarily defined by a small set of declarative configuration files, centered around configuration.nix. When changes are made to the configuration, the system builds a new generation—a complete, self-contained snapshot that can be booted into. This effectively means you can take this one file (ok maybe more than one) and use it to generate an identical setup on another machine running NixOS.
It keeps a history of generations that you can roll back to at any time. The bootloader always lets you select a previously bootable configuration if the latest one fails.
The Nix package manager eliminates dependency hell by allowing multiple versions of libraries and applications to coexist. Installing or removing packages cannot silently overwrite shared files, greatly reducing configuration-drift.
NixOS maintains a dedicated security team; however, key security features like Secure Boot and SELinux integration are still pending, with ongoing development efforts. Similarly, their package ecosystem, Nixpkgs, is also undergoing security improvements.
Similar to Arch, NixOS is what you make of it and also demands system maintenance; however, unlike Arch, the documentation is pretty lacking. There are the official and unofficial wikis, but both have many gaps—you will often be on your own.
Universal Blue (Ublue) #
Universal Blue is a manufacturing process that focuses on community-driven sharing of best practices via automation to make awesome desktop and server operating systems. That’s nerdspeak for the ultimate Linux client: the reliability of a Chromebook, but with the flexibility and power of a traditional Linux desktop. We produce a diverse set of continuously delivered operating system images using bootc.
— Universal Blue
Fedora’s Anaconda installer configures the bootloader (GRUB2), bootc/rpm‑ostree/related tooling, and an OCI image that contains the kernel, userspace, initramfs. Bootc then tracks and maintains the image without any user interaction necessary. The result is a fully functioning OS with automatic updates.
uBlue uses the Anaconda installer, but swaps out Fedora’s OCI image for one of their customized, extended versions of the Fedora Silverblue OCI image, like Aurora, Bazzite, and Bluefin.
This setup allows you to rebase to other images without having to reflash your entire system. For example, I originally installed Bluefin on my laptop, but later decided I wanted a setup better suited for gaming. I ran a single command, rebooted, and was instantly running Bazzite. The Bluefin OCI image had been replaced with the Bazzite one.
uBlue does not have a dedicated security team, but since their images are based on Fedora, most packages undergo Fedora’s vetting process. However, the additional packages it pulls from third‑party repositories such as RPM Fusion (which has some curation) and Copr (which has none) increase the overall attack surface. It also comes with pre-installed GNOME extensions which further increase the attack surface.
The main security concern for uBlue lies in software supply chain attacks, especially those involving GitHub Actions—which was compromised earlier this year—where the images are built. While uBlue didn’t experience any credential leaks, it did expose weak points in their security model that they have since updated.
Another concern with their delivery mechanism is that you’re trusting their image signing and delivery process, which they’ve in the past mishandled by shipping a broken update. While they shipped a fix the same day with excellent transparency, it still required manual user intervention—without which, you would not receive any more updates. The have since updated their practices, and an issue like this has not appeared since.
Despite these concerns, their default security posture is stronger than that of traditional package-based Linux distros due in large part to their cloud-native structure:
- Updates are automated and only applied in full (atomically), never partially
- Core OS is read-only
- All installations are done with sandboxed, containerized solutions (Flatpak, Distrobox, Homebrew, etc.)
If none of the images are to your liking, you can create your own.
The best way to harden uBlue is to rebase to secureblue.
secureblue #
secureblue is a security-focused desktop and server Linux operating system, developed as an open-source project. It is shipped as a set of OCI bootable container images, which are generated with BlueBuild, using Fedora Atomic Desktop’s base images as a starting point
— secureblue
Originally secureblue was built off of uBlue’s images—hence the naming scheme—however since then they have switched to Fedora Silverblue and hardens it with several features. I haven’t tried it yet, but I plan to rebase to it eventually.
secureblue is for those whose first priority is using Linux, and second priority is security. — secureblue
If this sounds like you, secureblue’s worth a try.
Kicksecure #
Kicksecure aims to be a hardened version of Debian that focuses on being reasonably secure and stable. It strives to provide a secure-by-default experience by implementing verified boot, a hardened kernel, and a full system-wide MAC policy.
Whonix #
Built on a modified version of Kicksecure, Whonix aims to provide a secure and anonymous OS through its dual-VM architecture:
- The Whonix-Workstation, which runs applications with stream isolation
- The Whonix-Gateway, which routes all traffic through Tor
Whonix is designed to be run in a VM and is often used in tandem with Qubes OS in a configuration known as Qubes-Whonix.
Tails #
Tails is an amnesic OS designed to run off a flash drive. The entire system operates entirely in Random Access Memory (RAM), routes all traffic through Tor, and deletes memory on shutdown.
Tails is meant to be used for a single purpose at a time; it is not suitable for everyday usage.
My Setup #
While I’ve been guilty of distro-hopping, I’ve recently settled on the uBlue family of images for my OS of choice. I appreciated the freedom of Debian and hope to earnestly daily-drive NixOS one day, but my extensive experience with uBlue images in the enterprise space thoroughly impressed me. I currently use Bazzite-dx on both my desktop and laptop. It retains all the gaming tweaks from Bazzite while incorporating the convenient developer presets from Bluefin-dx.
Installation #
Getting the OS installed is the most complicated part of using any uBlue image. Day 0 can introduce many complications ranging from hardware considerations to secure boot, but thankfully the documentation has improved significantly, with many more troubleshooting resources than were available when I first installed it.
I have had issues with the installers they ship on the websites not working for several laptops. They usually fail during the encryption stage, do not open at all, or freeze at the start screen. In these cases, I used the Fedora Silverblue installer instead, and then rebased to one of the uBlue images. If you do this, make sure to rebase to a signed image after the first rebase. I have not encountered this issue on any desktop hardware.
ujust #
Like other ublue images, Bazzite comes with a series of custom ujust convenience commands. They aim to provide automated setup for many common tasks you may perform on your machine, or other opinionated settings that they offer. You can view the full selection with ujust --list or choose to run any command with ujust --choose.
Automatic Updates #
I really like the automatic updates. They’re nothing like the forced, intrusive updates of Windows. The system runs daily checks that quietly install updates in the background during low activity (so not while gaming). Updates can be run manually with ujust update. The updated image is then loaded on the next reboot. Bazzite typically gets updates twice a week, so as long as you reboot your computer once a week, you’ll be on the bleeding edge. Update cadence varies for other images.
The update system has been preferable to traditional desktops, as I may be away from my gaming desktop or laptop for months at a time. Having it automatically updated to the bleeding edge after I start using it again, without any manual input, is really nice.
Encrypted Drives #
I encrypted my main drive during installation, which requires me to enter two passwords on startup: one to unlock the drive, and another to log in to the user account. This can become cumbersome over time, but there are ways to reduce the hassle:
-
Set your default user to auto-login so that you only have to enter the drive password (you will still need to know your login password for any admin commands).
-
Use a fingerprint scanner for biometric login.
-
Use a FIDO2 security key for login.
-
Automate drive encryption with TPM unlock (
ujust setup-luks-tpm-unlock). This is the most insecure option, especially if you have an AMD CPU.
On my Framework laptop, I leave this enabled, as it’s basically a form of 2FA login: I enter a password to decrypt the drive and then use my biometrics to log into my user account.
Auto-mount and Auto-decrypt #
On desktop, I have secondary drives that I also keep encrypted. Although Bazzite auto-mounts secondary drives on startup, this will not happen if the drive is encrypted. This produces the unwanted usability issue in which you have to manually decrypt and mount the drive on every login. If you have any Steam games on those drives, they will not be detected or updated by Steam until you do this.
Thankfully, with GNOME Disks4, you can easily set any drive to auto-decrypt (and auto-mount if that’s not working) on login. The credentials are stored in the Secret Service keyring, which is accessed after login.
Terminal #
The default terminal is Ptyxis, which is pretty standard but offers a bit more customizability than the defaults, and primarily provides quick GUI access to containers running on your machine.
ujust bazzite-cli applies opinionated defaults by installing several command-line interface (CLI) tools. They’re all really helpful, but Atuin, fzf, and zoxide are the standouts for me.
The terminal also has some branding and hints that it shows by default whenever you open it. I turn these off with ujust toggle-user-motd.
Backups #
Backups can be managed on three different levels:
-
- Btrfs is the default file system for all uBlue images. It uses copy‑on‑write (CoW), which allows for snapshots of subvolumes. Snapshotting can be enabled with
ujust configure-snapshots, which can then be managed with Btrfs Assistant. Snapshots are taken every hour; I retain snapshots of/var/homefor the last 10 hours, days, and weeks. Since these are stored on the same drive, they are not meant to be a long‑term backup solution.
- Btrfs is the default file system for all uBlue images. It uses copy‑on‑write (CoW), which allows for snapshots of subvolumes. Snapshotting can be enabled with
-
- Bazzite ships with Pika Backup, which is a GUI front‑end for creating Borg backups. These are ideal for a long‑term backup strategy; they can be encrypted, stored locally, on a remote drive, or kept in cold storage. I back up
/var/home/and exclude caches, as they sometimes have permission conflicts that prevent a successful backup. These are ideally saved on a separate drive and can be scheduled regularly, which is convenient if you have network‑attached storage (NAS).
- Bazzite ships with Pika Backup, which is a GUI front‑end for creating Borg backups. These are ideal for a long‑term backup strategy; they can be encrypted, stored locally, on a remote drive, or kept in cold storage. I back up
-
- Unlike the previous two methods, rollbacks/rebases do not affect
/varat all. These primarily affect the read‑only portions of the system changed during updates. Occasionally, an update may end up breaking something. Rollbacks will only take you to the previous system deployment; if you need to go further, you will have to rebase to one of the older releases. It is recommended to usebazzite-rollback-helperfor these actions.
- Unlike the previous two methods, rollbacks/rebases do not affect
Snapshots and Borg backups can easily be combined to form a 3-2-1 backup model.
Extensions #
The GNOME version of Bazzite comes with several preinstalled extensions. I don’t use all of the default ones, and I’ve added a few extra to suit my workflow. Here’s what my setup looks like:
| Extension | Pre-installed | Description |
|---|---|---|
| Caffeine | Yes | Disable the screensaver and auto suspend |
| Blur my Shell | Yes | Adds a blur look to different parts of the GNOME Shell, including the top panel, dash and overview |
| Restart To | Yes | Adds a menu item to restart to any other EFI boot entry |
| Tiling Shell | No | Extend Gnome Shell with advanced tiling window management |
| Framework Fan Control (Only on my laptop) | No | A convenient way to control your framework laptop fan profile |
VPN #
There is a common misconception that VPNs must be managed through their own dedicated GUI apps. Because Flatpak applications are sandboxed, these GUI-based VPN clients can sometimes struggle to control network traffic properly, which leads to some users resorting to layering. This is not recommended.
The overwhelming majority of VPN providers offer WireGuard or OpenVPN configuration files that you can download and open directly with a double-click. When you do this, NetworkManager will import the configuration for you, and you can then manage the VPN entirely through the integrated GUI in the DE.
Applications #
Fedora Atomic Desktops have read-only root files to prioritize stability. Therefore, containerized applications that do not interfere with your host system will work best.
…
- ujust (Convenience Commands) - Custom scripts maintained by Bazzite & Universal Blue contributors that can also install a small subset of applications.
- Flatpak (Graphical Applications) - Universal package format using a permissions-based model and should be used for most graphical applications.
- Homebrew (Command-Line Tools) - Install applications intended to run inside of the terminal (CLI/TUI).
- Quadlet (Services) - Run containerized applications as a systemd service.
- Distrobox Containers (Linux Packages & Development Workflows) - Access to most Linux package managers for software that do not support Flatpak and Homebrew and for use as development boxes.
- AppImage (Portable Graphical Applications) - Portable universal package format that relies on specific host libraries at a system-level, usually obtained from a project’s website.
- rpm-ostree (System-Level Packages) - Layer Fedora packages at a system-level (not recommended, use as a last resort)
— Bazzite
It is recommended to installing programs using the numbered order above.
- Most GUI applications are available through the Bazaar app store.
- Homebrew has most CLI tools and now has a dedicated security team, passed a recent security audit, and addressed the findings.
- Distrobox is rarely needed, though exceptions like Signal exist—for which I’ve created an automated installer.
Regardless of installation the method, all are trackable and easily audited—so you can always have a full view of what modifications you have made to your system.
- Flatpaks can be tracked in the Installed tab on Bazaar, with Warehouse, or
flatpak --list - CLI-tools installed with Homebrew can be tracked with
brew --list - Quadlets that you created can be viewed in
~/.config/containers/systemd/(rootless) or/etc/containers/systemd/(rootfull) - Distroboxes can be tracked with
distrobox --listor DistroShelf - AppImages can be managed with Gear Lever
- Layered packages can be tracked with
rpm-ostree status
Here are all apps that I use (some may come pre-installed), I will be excluding basic utilities like the calculator. Everything except for Steam is FOSS:
| Application | Installation Method | Description |
|---|---|---|
| Authenticator | Flatpak | Two-factor authentication token manager |
| Beaver Notes | Flatpak | Private note-taking app |
| Bazaar | Flatpak | Flatpak app store |
| Btrfs Assist | Pre-installed | Btrfs snapshots manager snapper activated with ujust configure-snapshots |
| Cooler Control | rpm-ostree layer | Fan curves manager ujust install-coolercontrol |
| Dialect | Flatpak | Translation app |
| DistroShelf | Flatpak | Distrobox manager |
| Embellish | Flatpak | Nerd Font manager |
| Extension Manager | Flatpak | GNOME Shell extensions manager |
| File Shredder | Flatpak | Permanent file deletion tool 5 |
| Firmware | Flatpak | Firmware updater and reinstaller |
| Flatseal | Flatpak | Flatpak permissions modifier |
| Firefox | Flatpak | Mozilla open-source web browser |
| FluffyChat | Flatpak | Matrix client |
| FreeTube | Flatpak | Privacy-focused YouTube client |
| Gajim | Flatpak | XMPP instant messaging client |
| Gapless | Flatpak | Offline music player with gapless playback |
| Gear Lever | Flatpak | AppImage manager |
| GIMP | Flatpak | Image editing application |
| Halloy | Flatpak | IRC client |
| Helvum | Flatpak | GUI patchbay for Pipewire |
| Heroic | Flatpak | Open-source games launcher for GOG and more |
| Ignition | Flatpak | Startup apps manager |
| Impression | Flatpak | Disk image writer |
| Inkscape | Flatpak | Vector graphics design tool |
| Jellyfin | Flatpak | Media server client |
| KeePassXC | Flatpak | Password manager |
| Limo | Flatpak | Mod manager |
| LocalSend | Flatpak | Local file sharing app |
| Maps | Flatpak | Navigation and location search app |
| Mission Control | Flatpak | GNOME messaging and task organizer |
| Mullvad Browser | Flatpak | Privacy-focused Gecko-based browser |
| Munadi | Flatpak | Azan and prayer notification app |
| Newsflash | Flatpak | RSS/Atom feed reader |
| OBS Studio | Flatpak | Video recording and streaming software |
| Parabolic | Flatpak | yt-dlp GUI frontend |
| PDF Arranger | Flatpak | PDF merge, split, and rotate tool |
| Pika Backup | Flatpak | Borg backup creator |
| Proton Mail | Flatpak | Proton Mail client |
| qBittorrent | Flatpak | BitTorrent client |
| Refine | Flatpak | GNOME Shell customization tool |
| Signal | Distrobox | Secure messaging and calling app |
| Solaar | Flatpak | Logitech peripherals manager |
| Steam | Pre-installed | Gaming platform and store |
| SyncThingy | Flatpak | Syncthing GUI client |
| Trayscale | Flatpak | Tailscale client |
| Ungoogled Chromium | Flatpak | Chromium browser without Google integration |
| Virt-Manager | Flatpak | Virtual machine manager ujust setup-virtualization |
| Volume Control | Flatpak | Audio volume controller and balancer |
| Warehouse | Flatpak | Flatpak package manager |
| Warp | Flatpak | Secure file transfer using Magic Wormhole protocol |
| Whisper | Flatpak | Microphone audio processor |
| WinBoat | AppImage | Automated Windows VM setup for running Windows apps |
| Wireshark | Flatpak | Network traffic analyzer |
| Zed | Flatpak | Lightweight integrated development environment |
-
Settlements outside of court are not an admission of guilt, proof of wrong doing, or evidence of liability. ↩︎
-
There is an argument that Qubes OS could be an exception although its not technically a Linux distro (it’s uses the Xen microkernel), it does use Fedora in dom0 and all the official templates are Linux distros. ↩︎
-
This list is restricted to my arbitrary definition of “mainline distro”. ↩︎
-
You can use KDE partition manager as well but the GUI will be different. ↩︎
-
↩︎Within a certain limit, it is effective. However, modern SSDs use certain technologies to extend its lifetime, which has the side effect of ensuring that shredding is never perfect, and no software can fix that. But shredding significantly increases the difficulty of data recovery since it requires specialized software and hardware.
— Alan Beveridge