[throwaway89988]

I tried out Aeon a while back and mostly liked the idea, but not so sure about the execution.

First, last time they had no firewall and the main developer thinks a firewall is not needed. I disagree strongly and won't run an OS w/o firewall. (https://forums.opensuse.org/t/micro-os-suse-aeon-compared-to...)

Second, getting everything from flatpak would be a good idea, if the software I need would be available as certified flatpaks. Downloading random flatpaks is IMHO the same as downloading random executables.

Third, the AARCH64 version is not distributed anymore (this was the version I tried/used), AFAIK because the initial install script could not download the non-existent Firefox for AARCH64 flatpak (thanks Mozilla).

In the end I still like the idea of Aeon and hope they change their positions concerning firewalls. Points two and three are obviously not Aeons to fix, so I hope we as a community (and Mozilla) get there in time.

[thoroughburro]

I use a MicroOS + wayland + sway and friends setup, since I don’t like big DEs. I completely agree with you about needing a firewall, but it was an easy fix to continue taking advantage of all the good parts:

    sudo transactional-update shell
    zypper in firewalld
    [setup as you like]
    exit
    sudo reboot

Now you have MicroOS or Aeon as you like it. It’s a discouraged practice, but if you stick to the default repos and well-used packages, you can definitely tweak the opinionated defaults without compromising the vision.

[BossingAround]

I understand what you're saying, and I understand the maintainer's POV. But, nothing prevents you from installing firewalld, right? It should just work.

[deknos]

i agree with the flatpak, sadly this will probably not change.

BUT! if you are a developer, you could run with distrobox graphically applications from the distrobox from OpenSUSE!

I am starting to use this on tumbleweed and there are even "exporters" so the app in the distrobox will be exported to your application menu on the metal!

[jacooper]

Does that app have access to a full terminal ? Like if I install vs code inside distrobox, will it have access to the systems or the container terminal?

[athrun]

the firewall question is interesting. I guess I understand their perspective: If nothing is listening/running then what’s the point of the firewall? The system is immutable so the security posture is a known quantity and cannot change at runtime. You could argue that running an additional firewall service would actually be increasing the attack surface, in the sense that more code is worse than the absence of code.

Not sure I agree with their stance, but good on them for having the courage to revisit some our default assumptions. Some decisions will work out and others they’ll have to finetune.

[throwaway89988]

The base system does not need a Firewall, according to them, and they might be correct about that or not.

IMHO the point of having a firewall which simply denies all incoming connections is, that once a user starts installing a few programs, sooner or later some of them might open ports, even w/o malicious intent.

If they want to provide an easy to use and secure system, IMHO there should be a firewall and each port has to be opened explicitly.

In the end, this is really down to opinion and there is no objective true answer, so I'd rather use Fedora-Atomic if I need immutability.

[raesene9]

I can see where the no firewall argument is coming from and definitely on my own Linux laptop, I try and keep the number of ports listening down as much as possible, but it is tricky and it requires a lot of vigilance as sometimes applications you wouldn't expect to, will start services. Things like Spotify and Steam can open ports.

So having a firewall running can provide a bit of extra protection in case you don't always check to see what ports you have open/listening.

[theodric]

What's the benefit to a traditional consumer application of opening ports these days, besides maybe for local network data exchange (which, I assume, is what Steam does since I know it will sync game updates between machines on the same subnet). I would hazard that the global number of laptops and desktops with public IPv4 addresses in 2024 is probably in the triple digits, given that basically every provider I'm aware of hands off with a "Wi-Fi modem" that converts whatever weird delivery medium (fiber, DSL, cable, etc.), gets its own maybe-public IP, and does NAT for clients. Hell, I don't even have my own IPv4 address since Starlink does CGNAT.