From 40846fb848d1b3cf6bbb8f08e6754510054c9e9d Mon Sep 17 00:00:00 2001 From: Franco Colmenarez Date: Tue, 31 Jan 2023 13:46:40 -0500 Subject: [PATCH] Small update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eb03126..d8bfd17 100644 --- a/README.md +++ b/README.md @@ -289,7 +289,7 @@ The technical reasons why are explained [here](https://madaidans-insecurities.gi Here are some tips on how you can improve Linux Desktop security: -- Use [Wayland](https://wiki.archlinux.org/title/Wayland) instead of [Xorg/X11](https://wiki.archlinux.org/title/Xorg). Xorg is a very ancient program with really ancient code, designed under a really ancient protocol (X11). Linux sandboxing is flawed mostly because of possible sandbox escapes through X11. The catch is that you may have compatibility issues with Wayland, for example, you may struggle with screen sharing. However, Wayland development is improving with time. +- Use [Wayland](https://wiki.archlinux.org/title/Wayland) instead of [Xorg/X11](https://wiki.archlinux.org/title/Xorg). Xorg is a very ancient program with really ancient code, designed under a really ancient protocol (X11). Linux sandboxing is flawed mostly because of [possible sandbox escapes through X11](https://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html). The catch is that you may have compatibility issues with Wayland, for example, you may struggle with screen sharing. However, Wayland development is improving with time. - Use [Pipewire](https://wiki.archlinux.org/title/PipeWire) instead of [Pulseaudio](https://wiki.archlinux.org/title/PulseAudio). Pipewire provides better sandboxing and security features. Most Linux distribution are starting to ship Pipewire instead of Pulseaudio. - Use [hardened_malloc](https://github.com/GrapheneOS/hardened_malloc). This is a bit more extreme and it's not recommended if you don't know what you are doing, as some programs may break. - Use [doas](https://github.com/slicer69/doas) instead of Sudo. Sudo have had [security vulnerabilities](https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt) that took years to patch. Sudo is a really big program, and doas is much smaller in comparison. Doas has less features than Sudo, but for desktop usage, Doas is usually more than enough.