[Note: I would have included more references, but the Purism forum only lets new users add two links to a post(?). Apologies if that makes some of what I’ve written less clear.]
I have been using Purism laptops for years and a Librem 5 for over a year. The laptops are great, the phone clearly has a lot of potential, and much of Purism’s firmware work is excellent… but I think that there needs to be a serious discussion about PureOS’s insecurity.
I’ve browsed the Purism’s GitLab, wiki and blog, and besides using rolling releases, and one security epic, I’ve not seen any meaningful improvements to baseline Debian security. To anticipate some responses:
- PureOS uses Flatpak. At this point, Flatpak’s security story has been debunked. It’s a portability solution, not a security solution.
- PureOS enables AppArmor by default. That’s great, but you need to write AppArmor security profiles in order for it to enhance the system’s security. Purism’s blog mentions enabling AppArmor by default, and its GitLab says there are some profiles, I couldn’t find any details about what profiles there actually are. Of course, this points to a general flaw with AppArmor for security-focused OS: unlike SELinux, it doesn’t deny by default.
The above is indicative of a more general point: PureOS plays security whack-a-mole, rather than having a first-principles approach to security. Examples of OSes that follow the latter model are iOS and GrapheneOS. While the former is unadoptable by Purism for obvious reasons, in my opinion not making the Librem 5 natively support GrapheneOS was a strategic blunder. Having said that, it seems that what’s done is done, and the Purism team is fully committed to building a Linux OS with mobile-desktop convergence even if it means less usability and adoption in at least the medium-term and worse security probably in the long term. Given that, the question is: is there a Linux-based alternative to vanilla Debian that PureOS can build on that has a better approach to security? The answer I think is clearly ‘yes’.
Kicksecure is based on Debian and is the base distro for Whonix. Unlike PureOS, Kicksecure tries to take important principles from newer OSes and create a Linux distribution that doesn’t have absolutely horrendous security. Below are some examples:
- AppArmor profile everything: a way to add an AppArmor profile to all processes, including PID 1.
- Strong user account isolation
- Extreme hardening
- Sandbox App Launcher: a modern approach to granting access to the host’s resources.
In spite of all their great work, it seems that the Kicksecure team relies primarily on donations and doesn’t have sufficient developer resources to realize their vision. If Purism built on Kicksecure rather than vanilla Debian, they would have a more secure OS and be helping out a great project besides.
I am curious to hear what the community thinks about this idea. Thanks for reading.