Improve software-installation section under FAQ #291
+31
−4
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Expanded the section to be more comprehensive and clear. Also mentioning the new usage of bazaar.
| 4. If a package isn't available via the other two options, or if a package requires greater system integration, `rpm-ostree install` can be used to layer rpms directly into your subsequent deployments. | ||
| #### Flatpak | ||
| [Flatpaks](https://flatpak.org/) are the recommended way to install GUI software in secureblue, with the exception of [browsers](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#flatpak-linux). | ||
| We have a specific article on flatpaks [here](https://secureblue.dev/articles/flatpak) |
Contributor
There was a problem hiding this comment.
Something like
An article on why we recommend Flatpaks is available here
Contributor
There was a problem hiding this comment.
Also needs a . at the end. Also, please use paragraphs instead of newlines between each sentence
| [Flatpaks](https://flatpak.org/) are the recommended way to install GUI software in secureblue, with the exception of [browsers](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#flatpak-linux). | ||
| We have a specific article on flatpaks [here](https://secureblue.dev/articles/flatpak) | ||
| There are a few recommended ujust scripts to run for flatpaks, those being: | ||
| > `ujust harden-flatpak` - Enables [Hardened-Malloc](https://github.com/GrapheneOS/hardened_malloc) for flatpaks |
Contributor
There was a problem hiding this comment.
Please remove this, this is run automatically
| We have a specific article on flatpaks [here](https://secureblue.dev/articles/flatpak) | ||
| There are a few recommended ujust scripts to run for flatpaks, those being: | ||
| > `ujust harden-flatpak` - Enables [Hardened-Malloc](https://github.com/GrapheneOS/hardened_malloc) for flatpaks | ||
| > `ujust flatpak-permissions-lockdown` - Significantly reduces default permissions of flatpaks. |
Contributor
There was a problem hiding this comment.
Please remove this, this is covered in the flatpak article
| > `ujust harden-flatpak` - Enables [Hardened-Malloc](https://github.com/GrapheneOS/hardened_malloc) for flatpaks | ||
| > `ujust flatpak-permissions-lockdown` - Significantly reduces default permissions of flatpaks. | ||
|
|
||
| You can add the unfiltered Flathub repo with `ujust enable-flathub-unfiltered`. |
Contributor
There was a problem hiding this comment.
This should probably be moved to the flatpak article, with an addition to that article covering what verification is
| Bazaar has a curated tab for software that compliments secureblue. | ||
| ###### Flatpak CLI | ||
| Flatpaks can by installed using the flatpak CLI tool, which is preinstalled with secureblue. Run `flatpak --help` for a list of commands and their usage. You can browse this [catalogue of Flatpaks](https://flathub.org) to discover the available packages. | ||
| #### CLI Package |
Contributor
There was a problem hiding this comment.
This should just say Homebrew, since RPMs can also be cli packages
| In this case, run: | ||
| `mv /path/to/repo /etc/yum.repos.d/reponame` | ||
| `rpm-ostree install <packagename>` | ||
| Beware, you are trusting a third party to not ship malware. Third party copr's are particularly hazardous. |
Contributor
There was a problem hiding this comment.
COPR is all caps as it's an acronym
| #### CLI Package | ||
| For CLI packages, you can install with [Homebrew](https://docs.brew.sh/Manpage) using `brew install <package>`. You can browse this [catalogue of Homebrew Formulae](https://formulae.brew.sh) to discover the available formulae. | ||
| #### RPM | ||
| If a package isn't available via Flatpak or Homebrew, or if a package requires greater system integration, `rpm-ostree install <package>` can be used to layer rpms directly into your subsequent deployments. |
Contributor
There was a problem hiding this comment.
Please use paragraphs
| If a package isn't available via Flatpak or Homebrew, or if a package requires greater system integration, `rpm-ostree install <package>` can be used to layer rpms directly into your subsequent deployments. | ||
| Sometimes an additional repository needs to be added to install software. | ||
| In this case, run: | ||
| `mv /path/to/repo /etc/yum.repos.d/reponame` |
Contributor
There was a problem hiding this comment.
This should just be an example curl command directly into the repos dir
| In this case, run: | ||
| `mv /path/to/repo /etc/yum.repos.d/reponame` | ||
| `rpm-ostree install <packagename>` | ||
| Beware, you are trusting a third party to not ship malware. Third party copr's are particularly hazardous. |
Contributor
There was a problem hiding this comment.
Instead of "beware.." maybe:
Note that by adding a third party repo, you are trusting the owner of that repo. You should avoid adding third party repos.
Also, the warning should precede the information on how to add third party repos
| `mv /path/to/repo /etc/yum.repos.d/reponame` | ||
| `rpm-ostree install <packagename>` | ||
| Beware, you are trusting a third party to not ship malware. Third party copr's are particularly hazardous. | ||
| #### Distro-specific format (e.g. .deb) |
| Beware, you are trusting a third party to not ship malware. Third party copr's are particularly hazardous. | ||
| #### Distro-specific format (e.g. .deb) | ||
| secureblue comes with [distrobox](https://distrobox.it/). This means that formats that are specific to some other distro can often be ran via distrobox. | ||
| For example, you can create and ubuntu container with `distrobox assemble` and then when you have entered that container with `distrobox enter ubuntu` you can use .deb packages from within it. |
Contributor
There was a problem hiding this comment.
I don't think we should be encouraging this... or maybe even documenting it. It's a horrible practice.
- Executing stuff downloaded from the browser ❌
- Local installs don't update ❌
This should be removed
| #### Distro-specific format (e.g. .deb) | ||
| secureblue comes with [distrobox](https://distrobox.it/). This means that formats that are specific to some other distro can often be ran via distrobox. | ||
| For example, you can create and ubuntu container with `distrobox assemble` and then when you have entered that container with `distrobox enter ubuntu` you can use .deb packages from within it. | ||
| #### AppImage |
Contributor
There was a problem hiding this comment.
This should be removed and any appimage info kept in the appimage faq entry
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Expanded the section to be more comprehensive and clear. Also mentioning the new usage of bazaar.