Yes, but Plasma doesnt protect against screen recording. The Devs expressed interest in protecting against arbitrary screen capture, still work in progress. See this issue: https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/issues/7
I’m the Never Ending Pie Throwing Robot, aka NEPTR.
Linux enthusiast, programmer, and privacy advocate. I’m nearly done with an IT Security degree.
TL;DR I am a nerd.
Yes, but Plasma doesnt protect against screen recording. The Devs expressed interest in protecting against arbitrary screen capture, still work in progress. See this issue: https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/issues/7
Flatpak is installed on basically every Linux distribution. Literally all I do to install Steam is go to the Software Center and search “steam” and click install. It takes 2 clicks.
Cinnamon with Wayland is still in testing. X11/X.Org is unmaintained software and is less secure than Wayland. GNOME is the only desktop at the moment that actually protects the screen from arbitrary recording by applications. Just food for thought.
I don’t like Snaps either, but it isn’t a that big of a deal. Ubuntu is still vastly more private than Windows. I do prefer Fedora much more because it actually sandboxes system services with SELinux polices. Snap creates a better sandbox for applications than Flatpak, but it is slower to launch applications, depends on AppArmor (which is less secure than SELinux), and uses hard coded package repo (centralized design).
On Linux, you can install Steam inside a sandbox for better security. Easy to do with either Flatpak or Bubblejail. This makes it so that Steam does not have full file system access.
Disabling unnecessary background services, disabling telemetry, removing preinstalled adware. Easy to do with WinUtil by Chris Titus Tech.
Propaganda from the ruling class.
Docker is good when combined with gVisor runtime for better isolation.
What is gVisor?
gVisor is an application kernel, written in memory safe Golang, that emulates most system calls and massively reduces the attack surface of the kernel. This is important since the host and guest share the same kernel, and Docker runs rootful. Root inside a Docker container is the same as root on the host, as long as a sandbox escape is used. This could arise if a container image requires unsafe permissions like Docker socket access. gVisor protects against privilege escalation by only using root at the start and never handing root over to the guest.
Sydbox OCI runtime is also cool and faster than gVisor (both are quick)