From e76d8593638d0478d56845d1934555aa74492f40 Mon Sep 17 00:00:00 2001 From: Meijuta Date: Sun, 8 Feb 2026 16:12:26 +1100 Subject: [PATCH] Improve software-installation section under FAQ Expanded the section to be more comprehensive and clear. Also mentioning the new usage of bazaar. --- content/FAQ.md | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/content/FAQ.md b/content/FAQ.md index a155cbb..0872c9c 100644 --- a/content/FAQ.md +++ b/content/FAQ.md @@ -203,13 +203,40 @@ secureblue prevents [numerous modules](https://github.com/secureblue/secureblue/ ### [How do I install software?](#software) {: #software} +#### Check if software is already installed +> `rpm -qa | grep x` -1. Check if it's already installed using `rpm -qa | grep x` -2. For GUI packages, you can install the Flatpak if available using the Software store or using `flatpak install`. You can browse this [catalogue of Flatpaks](https://flathub.org) to discover the available packages. -3. For CLI packages, you can install from brew if available using `brew install`. You can browse this [catalogue of Homebrew Formulae](https://formulae.brew.sh) to discover the available formulae. -4. If a package isn't available via the other two options, or if a package requires greater system integration, `rpm-ostree install` can be used to layer rpms directly into your subsequent deployments. +#### Flatpak +[Flatpaks](https://flatpak.org/) are the recommended way to install GUI software in secureblue, with the exception of [browsers](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#flatpak-linux). +We have a specific article on flatpaks [here](https://secureblue.dev/articles/flatpak) +There are a few recommended ujust scripts to run for flatpaks, those being: +> `ujust harden-flatpak` - Enables [Hardened-Malloc](https://github.com/GrapheneOS/hardened_malloc) for flatpaks +> `ujust flatpak-permissions-lockdown` - Significantly reduces default permissions of flatpaks. You can add the unfiltered Flathub repo with `ujust enable-flathub-unfiltered`. +##### Installing Flatpaks +###### Bazaar +[Bazaar](https://github.com/kolunmi/bazaar) is the app store that comes preinstalled with secureblue. It is forked for secureblue so we can make a few of our own changes and audit updates for security. +It by default filters EoL apps and certain apps with known security issues. Do note that the scope of this filter is limited and an app being unfiltered does not mean it is secure. +Bazaar has a curated tab for software that compliments secureblue. +###### Flatpak CLI +Flatpaks can by installed using the flatpak CLI tool, which is preinstalled with secureblue. Run `flatpak --help` for a list of commands and their usage. You can browse this [catalogue of Flatpaks](https://flathub.org) to discover the available packages. +#### CLI Package +For CLI packages, you can install with [Homebrew](https://docs.brew.sh/Manpage) using `brew install `. You can browse this [catalogue of Homebrew Formulae](https://formulae.brew.sh) to discover the available formulae. +#### RPM +If a package isn't available via Flatpak or Homebrew, or if a package requires greater system integration, `rpm-ostree install ` can be used to layer rpms directly into your subsequent deployments. +Sometimes an additional repository needs to be added to install software. +In this case, run: +`mv /path/to/repo /etc/yum.repos.d/reponame` +`rpm-ostree install ` +Beware, you are trusting a third party to not ship malware. Third party copr's are particularly hazardous. +#### Distro-specific format (e.g. .deb) +secureblue comes with [distrobox](https://distrobox.it/). This means that formats that are specific to some other distro can often be ran via distrobox. +For example, you can create and ubuntu container with `distrobox assemble` and then when you have entered that container with `distrobox enter ubuntu` you can use .deb packages from within it. +#### AppImage +See [here](https://secureblue.dev/faq#appimage). +Note: Sometimes AppImages can work if you extract them with `/path/to/your/appimage --appimage-extract`, then enter the `squashfs-root` directory created and run whatever binary is in there. + ### [How do I install my VPN?](#vpn) {: #vpn}