Sorry, I was referring to BlendOS if that wasn’t clear*.

However, if you did understand my intentions right away, then I’d regard it an oversimplification to ‘equate’ their respective experiences. Regardless, I do appreciate your input! Thank you.

It has been some time since I gave this a proper look. Do you use this yourself? If so, would you be so kind to share some of your experiences?

OP, another vote for this one.

It addresses your concerns in a wonderful way:

• Reliability; While it’s far from unique in this regard, I’d argue that the uBlue distros are one of if not the most reliable desktop Linux experience that’s currently out there. You know most of the drill already (read: built-in rollback functionality, clean base system). But, the uBlue project has some aces up on their sleeves that (to my knowledge) are pretty unique:
  • “Ninety (90) days of image archives allowing for flexible rollback options.” The images are stored online, so they don’t even take space on your device.
  • Shared community maintenance, i.e. even if upstream has a rare fuck-up, you can trust on uBlue’s maintainers to deal with it without you even noticing. For a recent example of this, we got this.
• Access to the AUR; while Distrobox can be installed on any distro, uBlue projects come with perks that make the whole experience better than it’s found elsewhere. From quadlets that have been properly setup from the get-go so that you don’t have to (additionally) maintain those distrobox containers, to even minor things like including Boxbuddy OOTB to make the transition as easy as they come.
• Setup for Gaming; It goes without saying that Bazzite is excellent for gaming. It’s gaming-ready OOTB and includes (almost^[1]) all the performance tweaks you’d wish.
• Setup and forget; I (almost^[2]) don’t know any other distro that better embodies this than Bazzite (and its other uBlue-relatives).

All in all, I think Bazzite is definitely worth a look. Consider installing it and setup to your heart’s content. If -at any time during or after that process- you come across an insurmountable^[3] issue caused by its atomic/cloud-native/‘immutable’ nature, then you can check it off your list and look elsewhere.

1. CachyOS is still superior in this regard by doing a better job at inching out (literally) every performance gain out there.
2. Perhaps Endless OS does an even better job at this, but that would be a bad recommendation for all the other reasons.
3. Before giving up, if you wouldn’t have done it by then, at least consider contacting the community through their Discord server. They’re very helpful. FWIW, Bazzite has pretty excellent documentation as well. (Even if it ain’t as exhaustive as the even more impressive ArchWiki. Granted, it doesn’t have to be as expansive.)

Literally said they don’t want immutable.

At best, they might have implied it. (But I don’t think they do.) Here are the (relevant) snippets:

I honestly have even been looking into some of those immutable distros (that’s how much I don’t want to be fixing my system. I’m tired, I just want to use my system to get work done)

I was once told by some kind soul to use an immutable distro and setup “distrobox” on it if I wanted the AUR.

Regarding Caps Lock, the user named “warmaster” only relayed their own experiences. FWIW, I can relate to their experience. Ever since my switch from Windows to Fedora Silverblue, I haven’t experienced any difference in Caps Lock functionality; it’s literally the same as I was used to on Windows. And thus the very same you* said you liked. My repertoire of distros ain’t as impressive as some notorious distro-hoppers. However, I don’t recall this to be different on Arch, EndeavourOS, Nobara or other images within the Fedora Atomic ecosystem.

Edit: added “you”

Could you edit your post to include system specs?

Consider taking a look at this criminally underrated Linux-first vendor: NovaCustom. Prices aren’t cheap, unfortunate. But it boasts hardware from about a year ago. Furthermore, NovaCustom takes Libre very seriously: from supporting coreboot to offering blob-free WiFi-cards.

As I noted in the footnotes of this comment, Qubes OS is technically not a Linux distro as it’s based on Xen instead. But yeah, it’s without a doubt the gold standard when it comes to secure by default desktop operating systems; far surpassing even Kicksecure and secureblue.

As for Tails, while its amnesiac property is excellent for protection against forensics, it’s not meant as a daily driver for general computing; which was also touched upon in the aforementioned footnotes.

For this writing, I’ll focus on the OOTB experience. Furthermore, a daily driver for general use is assumed. I’ll also try to keep it (relatively) brief and concise for the sake of brevity. The tier list found below goes from worst to best.

• Tier -1 : Actively detrimental distros. Joke/meme distros, abandoned/discontinued projects and even outright malicious products. Simply don’t use for production. The likes of Hannah Montana Linux and Red Star OS comes to mind.
• Tier 0 : Unopinionated distros. These should be regarded as blank canvases from which it’s expected that you meld and forge it to your liking. As such, at least by default, they offer nothing in this regard. However, it’s possible to build a fortress if you wish. Both Arch and Gentoo fall under this category.
• Tier 1 : Distros that have put in some work into security, but ultimately fall short. These distributions include security features and maintain regular updates, but their implementation choices can introduce security compromises. This tier often includes derivatives that modify their parent distribution’s security model, sometimes prioritizing convenience over security best practices. While it may be suitable for general use, they may not provide the same security guarantees as their upstream sources.
• Tier 2 : Distros with sane security defaults that rely on backports for their security updates. These distributions prioritize stability while maintaining security through careful backporting of security fixes. Rather than updating entire packages, they selectively patch security vulnerabilities into their stable versions. This approach provides a good balance of security and stability, though it means newer security features might take longer to arrive (if at all). Debian and Ubuntu are prime examples of this.
• Tier 3 : Distros with excellent security defaults and a (semi-)rolling release. For most normies, this is as secure as it needs to be. As it’s on a (semi-)rolling release, it receives security updates as soon as they come. Furthermore, this also allows them to benefit from new security features as soon as they appear. Curiously, the two distros that most resonate with this, i.e. Fedora and openSUSE Tumbleweed, are also known to innovate (and thus are pack leaders) when it comes to security solutions. FWIW, their respective atomic/immutable distros also belong in this tier.
• Tier 4 : Security-first distros. The crème de la crème. These are probably overkill for most people. This is also the first (and only) tier that may sacrifice usability and function for the sake of security. If your highest priority is security, then you can’t go wrong with this one. Kicksecure and secureblue are its flag bearers.

I’d personally grant Linux Mint a position in tier 2, though perhaps others would go with tier 1 instead. As such, a step-up would be a distro from either Fedora or openSUSE.

Thanks for the clarification!

If you trust both the source and the file, then downloading by itself shouldn’t constitute a problem. Supply-chain attacks are still possible, but that’s a hard problem to solve anyways. I suppose I’d only trust Qubes OS to handle that gracefully.

For general browsing, GrapheneOS-folk would advice against Firefox(-based browsers). Instead, they’d recommend (something based on) Chromium. Personally, I do follow that advice. But I understand if you’d like to stick to Firefox(-based browsers).

Coming back to Linux Mint, I won’t go over my (personal) qualms with the security model of the distros it’s based on. But as Linux Mint offers one of the best onboarding experiences, it would be a disservice to lead you elsewhere. Become comfortable with Linux through it. And, perhaps one day, if you feel like venturing elsewhere, you can try out distros that offer better security. Thankfully, Linux Mint’s OOTB security should be sufficient until then.

As for the article, everything except for the fourth recommendation is a W. Utilizing ClamAV could be cool, but it’s based on a very naive understanding. You wouldn’t want an untrusted file on your system in the first place. Obviously, a lot more mileage^[1] is possible. But one has to learn to walk before they can run 😉.

1. Note that the information and instructions found on the excellent ArchWiki often work on and/or apply to other distros as well.

Is this a good list?

The link definitely provides some good info. It’s better than nothing. However, it may or may not fall short based on how secure you’d like to make your system.

Anything else I should do to secure a Mint install?

What is it you’re trying to protect and from whom? Whenever the topic of security comes up, one simply can’t engage meaningfully without mentioning a threat model.

In this case, I’ll assume you’re just your average Joe. And, depending on how you engage with your system, Linux Mint might be fit from the get-go. However, if you actively engage in downloading random jank from the internet and have ‘survived’ with the help of Microsoft Defender Antivirus, then you should know that a safety net as such doesn’t exist over on this side. Sure, security through obscurity might save your ass a couple of times. But it’s inevitably a losing battle.

So, without knowing your threat model, note the following important advice that the article somehow hasn’t touched upon:

• Know that you, the user, are the largest attack surface. Even if some distros like Fedora and openSUSE (with the latter AFAIK scoring the best^[1] according to Lynis) actually put in great work to offer pretty secure systems, they absolutely won’t be able to protect you against yourself.

1. It’s important to mention that this excludes security-first distros like Kicksecure and secureblue. Nor is Qubes OS considered as it’s technically not even a Linux distro. Other distros like Tails or Whonix are also not considered as they’re not meant to be used as daily drivers and/or for general use.

Unfortunately, I don’t know either. From my understanding, X11 as a whole is supported. Therefore, you should be able to hack your way through this. I suppose the installation instructions for Ubuntu should closely align to what’s required for Debian. So that’s your starting point.

Thanks for sharing.

Thanks for the appreciation!

Our goal is to continue the legacy of Mull by providing a free and open source, privacy and security-oriented web browser for daily use.

Do you work on IronFox?

I’m glad to find that the general perception on CachyOS has definitely changed for the better. I believe it was two or three years ago when I stumbled upon CachyOS for the very first time. I don’t think it did anything noticeably different back then compared to now. But as it was still relatively new, people didn’t quite jump on the bandwagon. As such, I actually received quite a bit of condemnation whenever I tried to recommend the distro to others. I’m glad to see that it’s currently flourishing. Congratz to the CachyOS team for sticking to their guns. Whenever a product is good, it will eventually receive recognition.