Close to ordering Mini 2. Questions:
1- What is lost from a privacy standpoint if I install another Linux distro than Pure OS?
2- What is lost from a privacy standpoint if I install another desktop environment on PureOS and don’t use GNOME?
3- Is PureOS/GNOME needed for proper Librem Key functionality? On other DEs does the removal of the Librem key lock the Mini2 properly like on GNOME?
Thanks
hello and welcome !
proprietary code is a black-box. we can’t say for CERTAIN if it does something specific or NOT but we can choose not to allow our compute environment to contain any such POTENTIAL malware …
that being said, your mileage may vary but if you get the standard Librem-Mini-v2 then you will also get PureOS-10-Byzantium (development version) so you are SAFER than most …
if your requirements for LESS blobs are more stringent and you KNOW why that IS then you are better off looking somewhere else (mainly the HW recommended by the FSF)
1 - There is very little in terms of privacy compromises for most Linux distributions. Ubuntu had some controversy about a decade ago with its Dash search but I do not know any recent issues. You are likely very safe in nearly any OS choice for privacy by default.
2 - Similar to your OS choice, I am unaware of any data sharing agreements between KDE, for example, and any third parties. I believe both KDE and GNOME have statements emphasizing their dedication to data privacy.
3 - I cannot speak on this item.
It depends on the hardware.
If you are talking about Purism hardware then the hardware is chosen so that it works with PureOS without blobs. That means that it should work with other Linux distros, particularly those in the Debian family, without blobs.
There is a small risk that another distro might try to replace an open driver with a closed driver that offers more functionality - but in theory you should be able to control that. (On PureOS the closed driver simply wouldn’t exist.)
Likewise if you add further hardware yourself there is a question over whether the operating system will add closed software (driver or firmware). PureOS definitely won’t. Other distros might.
It’s not like you are locked into one distro for life, or even limited to one distro.
PureOS has a forked version of Firefox ESR which is configured by default for a bit more privacy. It has the extensions PrivacyBadger (to block invisible trackers), HTTPS Everywhere (to always use https when possible) and UBlock Origin installed by default, whereas with other distros you will have add these extensions yourself (which isn’t hard, but you might not think to do it). Purism is switching to GNOME Web (i.e. Epiphany) where it can more easily add code than with Firefox. See: https://puri.sm/posts/an-epiphany-regarding-purebrowser/
(The last time I installed PureOS, Google was still the default search engine in its Firefox ESR, so you might want to do future configuration)
There are probably a few other things. PureOS doesn’t offer for you to participate in a poll of what applications you have installed like Debian does. I see that PureOS has some of its own custom packages, which it presumably modified from the Debian packages:
$ sudo dpkg -l | grep -i pureos
ii apparmor 2.13.2-10pureos1 amd64 user-space parser utility for AppArmor
ii apparmor-profiles 2.13.2-10pureos1 all experimental profiles for AppArmor security policies
ii base-files 10.1pureos6 amd64 PureOS base system miscellaneous files
ii bsdutils 1:2.33.1-0.1pureos1 amd64 basic utilities from 4.4BSD-Lite
ii cron 3.0pl1-130pureos1 amd64 process scheduling daemon
ii dirmngr 2.2.12-1pureos2 amd64 GNU privacy guard - network certificate management service
ii dpkg 1.19.7pureos1 amd64 Debian package management system
ii fdisk 2.33.1-0.1pureos1 amd64 collection of partitioning utilities
ii flashrom 1.1.0-0pureos1 amd64 Identify, read, write, erase, and verify BIOS/ROM/flash chips
ii gdm3 3.30.2-1pureos1 amd64 GNOME Display Manager
ii gir1.2-gdm-1.0:amd64 3.30.2-1pureos1 amd64 GObject introspection data for the GNOME Display Manager
ii gnome-boxes 3.30.3-2pureos1 amd64 Simple GNOME app to access remote or virtual systems
ii gnome-control-center 1:3.30.3-1pureos1 amd64 utilities to configure the GNOME desktop
ii gnome-control-center-data 1:3.30.3-1pureos1 all configuration applets for GNOME - data files
ii gnome-initial-setup 3.30.0-1pureos5 amd64 Initial GNOME system setup helper
ii gnome-session 3.30.1-2pureos1 all GNOME Session Manager - GNOME 3 session
ii gnome-session-bin 3.30.1-2pureos1 amd64 GNOME Session Manager - Minimal runtime
ii gnome-session-common 3.30.1-2pureos1 all GNOME Session Manager - common files
ii gnome-software 3.30.6-5pureos1 amd64 Software Center for GNOME
ii gnome-software-common 3.30.6-5pureos1 all Software Center for GNOME (common files)
ii gnome-software-plugin-flatpak 3.30.6-5pureos1 amd64 Flatpak support for GNOME Software
ii gnupg 2.2.12-1pureos2 all GNU privacy guard - a free PGP replacement
ii gnupg-l10n 2.2.12-1pureos2 all GNU privacy guard - localization files
ii gnupg-utils 2.2.12-1pureos2 amd64 GNU privacy guard - utility programs
ii gpg 2.2.12-1pureos2 amd64 GNU Privacy Guard -- minimalist public key operations
ii gpg-agent 2.2.12-1pureos2 amd64 GNU privacy guard - cryptographic agent
ii gpg-wks-client 2.2.12-1pureos2 amd64 GNU privacy guard - Web Key Service client
ii gpg-wks-server 2.2.12-1pureos2 amd64 GNU privacy guard - Web Key Service server
ii gpgconf 2.2.12-1pureos2 amd64 GNU privacy guard - core configuration utilities
ii gpgsm 2.2.12-1pureos2 amd64 GNU privacy guard - S/MIME version
ii gpgv 2.2.12-1pureos2 amd64 GNU privacy guard - signature verification tool
ii grub-common 2.02+dfsg1-4pureos1 amd64 GRand Unified Bootloader (common files)
ii grub-pc 2.02+dfsg1-4pureos1 amd64 GRand Unified Bootloader, version 2 (PC/BIOS version)
ii grub-pc-bin 2.02+dfsg1-4pureos1 amd64 GRand Unified Bootloader, version 2 (PC/BIOS binaries)
ii grub-theme-pureos 1.7 all GRand Unified Bootloader PureOS theme
ii grub2-common 2.02+dfsg1-4pureos1 amd64 GRand Unified Bootloader (common files for version 2)
ii initramfs-tools 0.132pureos1 all generic modular initramfs generator (automation)
ii initramfs-tools-core 0.132pureos1 all generic modular initramfs generator (core tools)
ii libapparmor1:amd64 2.13.2-10pureos1 amd64 changehat AppArmor library
ii libblkid1:amd64 2.33.1-0.1pureos1 amd64 block device ID library
ii libfdisk1:amd64 2.33.1-0.1pureos1 amd64 fdisk partitioning library
ii libgdm1 3.30.2-1pureos1 amd64 GNOME Display Manager (shared library)
ii libmount1:amd64 2.33.1-0.1pureos1 amd64 device mounting library
ii libnss-myhostname:amd64 241-7pureos0.2 amd64 nss module providing fallback resolution for the current hostname
ii libopenexr23:amd64 2.2.1-4pureos1 amd64 runtime files for the OpenEXR image library
ii libpam-systemd:amd64 241-7pureos0.2 amd64 system and service manager - PAM module
ii libplymouth4:amd64 0.9.3-3pureos1 amd64 graphical boot animation and logger - shared libraries
ii libsmartcols1:amd64 2.33.1-0.1pureos1 amd64 smart column output alignment library
ii libsystemd0:amd64 241-7pureos0.2 amd64 systemd utility library
ii libudev1:amd64 241-7pureos0.2 amd64 libudev shared library
ii libuuid1:amd64 2.33.1-0.1pureos1 amd64 Universally Unique ID library
ii lsb-base 10.2019031300pureos1 all Linux Standard Base init script functionality
ii lsb-release 10.2019031300pureos1 all Linux Standard Base version reporting utility
ii mount 2.33.1-0.1pureos1 amd64 tools for mounting and manipulating filesystems
ii p7zip 16.02+dfsg-6pureos1 amd64 7zr file archiver with high compression ratio
ii p7zip-full 16.02+dfsg-6pureos1 amd64 7z and 7za file archivers with high compression ratio
ii papirus-icon-theme 20171102-0pureos1 all Papirus Icon Theme
ii plymouth 0.9.3-3pureos1 amd64 boot animation, logger and I/O multiplexer
ii plymouth-label 0.9.3-3pureos1 amd64 boot animation, logger and I/O multiplexer - label control
ii plymouth-theme-pureos 1.7 all Graphical boot animation and logger - PureOS Theme
ii plymouth-themes 0.9.3-3pureos1 amd64 boot animation, logger and I/O multiplexer - themes
ii pureos-archive-keyring 2016.09 all GnuPG archive keys of the PureOS archive
ii pureos-artwork-base 1.7 all Basic artwork for PureOS desktop systems
ii pureos-gnome 0.9.7 amd64 PureOS GNOME desktop system
ii pureos-gnome-settings 0.7.1 all Default settings for the PureOS GNOME desktop
ii pureos-init-disk-crypto 0.3.2~po9u1 all Initialize disk encryption passwords on OEM installations
ii pureos-minimal 0.9.7 amd64 Minimal core of PureOS
ii pureos-security-hardening 0.0.1 all Security hardening for PureOS
ii pureos-standard 0.9.7 amd64 PureOS standard system
ii pureos-theme-gnome 1.7 all PureOS style for the GNOME desktop
ii pureos-webext 0.9.7 amd64 PureOS web browser extensions
ii python-apt 1.8.4pureos3 amd64 Python interface to libapt-pkg
ii python-apt-common 1.8.4pureos3 all Python interface to libapt-pkg (locales)
ii python3-apt 1.8.4pureos3 amd64 Python 3 interface to libapt-pkg
ii qemu-kvm 1:3.1+dfsg-2pureos1+po9u1 amd64 QEMU Full virtualization on x86 hardware
ii qemu-system-common 1:3.1+dfsg-2pureos1+po9u1 amd64 QEMU full system emulation binaries (common files)
ii qemu-system-data 1:3.1+dfsg-2pureos1+po9u1 all QEMU full system emulation (data files)
ii qemu-system-gui 1:3.1+dfsg-2pureos1+po9u1 amd64 QEMU full system emulation binaries (user interface and audio support)
ii qemu-system-x86 1:3.1+dfsg-2pureos1+po9u1 amd64 QEMU full system emulation binaries (x86)
ii qemu-utils 1:3.1+dfsg-2pureos1+po9u1 amd64 QEMU utilities
ii rfkill 2.33.1-0.1pureos1 amd64 tool for enabling and disabling wireless devices
ii scdaemon 2.2.12-1pureos2 amd64 GNU privacy guard - smart card support
ii systemd 241-7pureos0.2 amd64 system and service manager
ii systemd-sysv 241-7pureos0.2 amd64 system and service manager - SysV links
ii udev 241-7pureos0.2 amd64 /dev/ and hotplug management daemon
ii util-linux 2.33.1-0.1pureos1 amd64 miscellaneous system utilities
ii uuid-runtime 2.33.1-0.1pureos1 amd64 runtime components for the Universally Unique ID library
I assume that Purism has added a bit more strict apparmor configuration than Debian, and GPG is installed by default.
I don’t think the DE makes any difference. I don’t know of any Linux DE that is collects your info and I’m pretty sure that Debian would make it easy to disable that function if one did.
You can use the Librem Key with any distro that has an unencrypted /boot directory. See:
https://docs.puri.sm/PureBoot/GettingStarted.html
I’m not sure.
reC
Thank you. Are you indicating that there is proprietary code in PureOS or that proprietary code is avoided by using PureOS?
Thanks everyone. I like what Purism is doing, like PureOS, but just really dislike GNOME. I’ve got PureOS with Budgie DE in a VM and like that much better. I surmise from your posts that I could get a Mini v2, with PureOS, and a DE of my choice and still maintain the rich security and privacy inherent to PureOS and also be able to use the Librem Key.
I don’t think that is default functionality anyway. Purism provides a half dozen lines of config to make this happen. You can see details here:
It looks Gnome-specific to me. However, depending on your level of sophistication, you can probably adapt that to any DE that exposes any kind of API for locking and unlocking. The hooks are there. It is just down to what the DE can do.
Proprietary code is avoided by using PureOS.
Purism takes a purist (hardline) approach to proprietary code. It must be avoided.
PureOS is purer than many Linux distros but it is all relative. All Linux distros are vastly more pure than e.g. Windows.
There are other free OS as well if you don’t like pureos. Can always use other fsf endorsed with my main suggestions being trisquel or parabola.