PureOS Hardening

Are there plans to add more hardening/exploit mitigations to PureOS? (kernel hardening config options (https://github.com/a13xp0p0v/kconfig-hardened-check/), hardened malloc, LKRG, etc. I know AppArmor is now on by default, which is great.

I’m confused by the purpose of using linux-libre/not allowing microcode updates, when microcode updates are a necessity on x86 systems. You even include microcode updates in shipped laptops, and updated firmware (https://puri.sm/posts/purism-patches-meltdown-and-spectre-variant-2-both-included-in-all-new-librem-laptops/), so this really doesn’t make any sense. The loopholes we’re all going through to satisfy FSF certification seem really silly to me, especially if users aren’t warned to activate the non-free repo. They’re device will become insecure.

5 Likes