All great, but I would love EU and (national, local, ...) governments in the EU simply use the open source stuff already available.
Often there is an 'you must open source, unless you explain why not' and then there is some faff about why they really need to be buying more stuff from Microsoft (which is more and more cloud stuff and thus under the CLOUD act etc.)
Time to get rid of the 'unless' bit.
Although I usually come up negative on my The Year of Linux Desktop comments, that would already be a starting point.
Unless EU citzens are able to easily walk into FNAC, Vobis, Cool Blue, MediaMarket, Carrefour, Publico,.... and come out with a laptop or desktop with e.g. SuSE Linux already set up, this will always be a niche thing from nerds assembling their own PCs, or finding their ways into Tuxedo and co.
And there needs to be some kind of value in actually doing that for normal people, otherwise it will be just like netbooks, most people will return them and ask for a Windows PC, after being "tricked" into getting one of those Linux PCs.
> And there needs to be some kind of value in actually doing that for normal people, otherwise it will be just like netbooks, most people will return them and ask for a Windows PC, after being "tricked" into getting one of those Linux PCs.
This is the big thing.
Even as a massive nerd, I keep trying various distros and going "meh" and right back to MacOS.
So maybe BSD + nice GUI is the solution :)
This is a conversation that has been going on for 20+ years and the OSS community hasn't managed to get that in their heads
I have simply given up
Me too, which is why I mostly use Windows as main OS laptop OS since Windows 7[0], however with current geopolitics, eventually we might have to really chose something else, even if the ergonomics aren't there.
[0] - You will find emails from me with M$ like signatures during the 1990s, in whatever archives
Well you can do that right now with Chrom(ium)OS.
Nah, that is a joke OS, where Crostini to this day has hardware support issues depending on the OEM brand, and the RAM/SSD sizes are ridiculous.
You do realize there is basically zero demand for a Linux desktop by "normal"/"average" users, right?
Yes, hence why that must come from European powers if sovereignty matters to the point not to depend on US powers for our daily computing needs.
I do not think I want my public sector running GNU/Linux desktops. There is no distro that meets the security requirements.
I don't know if Windows is better, I have heard rumours that it's pretty bad.
I know MacOS is MUCH better from a security PoV but I definitely don't want my public sector shelling out to Apple and I don't think it meets the boring IT management requirements anyway (I think big tech has a lot of crazy workarounds to make their MacBook fleets workable).
So yeah overall no good options here. I would love to see the EU fund development of a better distro for this usecase, but doubt it's the highest ROI thing you can do in this space.
I don’t get your comment. They can make a distro secure enough for government use. It’s not like it’s alien technology only the US have, that you need to buy Apple or Microsoft.
It would certainly be the highest ROI to have a local, open system built (by funding) local enterprises. Who knows, maybe a slice of the private sector might adopt it instead of sending money overseas.
It's not alien tech but it's a basic fact that only the US has it right now.
Yes we could build a serious distro with a massive investment to get Flatpak, systemd, bootc, up to scratch, set up OSS endpoint management software, set up a safe package supply chain, etc. And yes I would love to see it. But I think in the short term the money would be better spent replacing crap like Outlook and OneDrive than Windows. Note this doesn't require building much software it's about figuring out how to run infrastructure in a way that's friendly to the bizarre world of public sector organisations.
Maybe Dunning-Kruger but the latter just seem like much easier problems to solve.
Also totally pointless until we have an OSS web browser that the whole sector can adopt (maybe we already do, but any funding gaps for Firefox should still be addressed before we build our own EuroOS). No point in having a wonderful sovereign OS that just serves as a bootloader for Chrome.
In what aspect does GNU/Linux not meet EU sovereignty security requirement, but two American companies do?
Other than the elephant in the room that most FOSS projects are anyway sponsored by US companies, that is.
Sovereignty yes it's obviously better.
I am just talking about the pure tech fact that GNU/Linux desktops do not have any meaningful intra-host security boundaries.
Is this a worthwhile tradeoff against being tied to US tech? Yeah maybe, like I said there are no good options here, and Linux might be the least bad.
Genuinely interested: does it bring something to say "everything is crap anyway, but given that we must choose between one of them, we may as well choose the least bad" instead of "the best solution we currently have is X"?
Secondly, are you sure that it is impossible to secure a system for a whole department? I have seen relatively big companies having an IT team managing their own Linux flavour. That is, whitelisting the packages that can be installed by the users. Given that most computer users in the administration use a handful of programs, it doesn't seem super hard to audit them?
> Genuinely interested: does it bring something to say "everything is crap anyway, but given that we must choose between one of them, we may as well choose the least bad" instead of "the best solution we currently have is X"
Well I dunno if that's true, that's why I didn't say it. Linux _may_ be the best solution overall I am not sure. It is definitely not the best solution from a security perspective.
> Secondly, are you sure that it is impossible to secure a system for a whole department? I have seen relatively big companies having an IT team managing their own Linux flavour. That is, whitelisting the packages that can be installed by the users.
Just whitelisting packages isn't enough. ChromeOS effectively does this and their whitelist is extremely small, yet they are still only ok with that because they backed it up with the rest of the pieces needed to make a secure Linux desktop, including a fully vertically integrated stack.
You know what happened at Google after Operation Aurora and they went full bore on security (BeyondCorp and all that)? They started phasing out Windows laptops for employees immediately.
I'm honestly having trouble taking you seriously, Windows has always been at the butt of security jokes, I guess you maybe didn't grow up with winnuke etc? But maybe you could elaborate a bit more concretely about what kind of intra-host security boundaries are missing, and why they would be required on single-user computers in this scenario?
I worked at Google on post-Aurora endpoints security. Windows laptops are alive and well at Google. Linux laptops have had one foot in the grave for a while now (it's a bummer). Google historically made gLinux work only with enormous investments in customised distros and D&R.
> But maybe you could elaborate a bit more concretely about what kind of intra-host security boundaries are missing
- no boundaries between applications, everything runs as $USER which can read your browser creds
- no boundary between user and root, everything can trivially escalate privs (maybe we will fix this post Glasswing, let's see)
- no boundary between boots, root can trivially persist a compromise (probably non-root too)
The tech exists to solve all these problems on Linux, but there isn't a distro that strings it all together. (Unless you count ChromeOS/Android which are not really OSS).
I think that SUSE and RH can definitely work well in a fairly secure setting as needed. I certainly don't think it's any less secure than your typical corporate windows setup.
Sounds like the Linux is still the least worst? There is at least possibility of having secure and quite independent machine. The question is not about distro, it's who does the support and how it's all put together. There are big vendors who sell linux to enterprises that for sure have to be highly secure.
[dead]
So the NSA baseline of Linux + SELinux (that they helped develop) does not meet your needs but MacOS does? Please educate me.
SELinux is a framework not a solution. Main places that gap is closed are Android and ChromeOS, not normal distros.
MacOS has:
- Serious integrity story
- Actual kernel hardening
- No reams and reams of garbage in their kernel (wouldn't have equivalents to the recent AF_ALG vulns coz they don't have dumb stuff like AF_ALG).
- Filesystem security boundaries retrofitted onto the Unix model (interesting user data, browser creds etc are gated by special permissions that are tied to the application build, backed by the integrity story - a `curl | bash` command cannot dump your ~/Documents)
When people escalate privileges on MacOS it's news, when they do it on Linux it's Tuesday (you might think the recent spate of privesc vulns on Linux was unusual but that is totally normal).
I say this as someone who works on Linux security every day (I am a kernel developer) and uses Linux on every computer I have, both at work and at home, BTW. I am not a Linux hater or Apple fanboy by any means.
These are all solvable problems at EU scale too. Just, I think they should solve other problems first in the priority list of delivering sovereign IT.
> There is no distro that meets the security requirements.
The CLOUD Act, in conjunction with Trump's behavior and the Snowden disclosures, shows that the US cannot possibly a trusted partner. That every operating system is controlled by Washington. Who can turn things off if they want.
I work for a stage agency. Our current state constitution was adopted in 1891. Does a digital file format exist that will work for 135+ years? We've adopted PDF/A because supposedly that's open-sourcey enough to last, but I'm not sure that it is safe enough from legal disputes to stand the test of time. Our state legislature has banned certain state stuff from being hosted in the cloud.
> I do not think I want my public sector running GNU/Linux desktops. There is no distro that meets the security requirements.
Windows being a buggy spyware wouldn't
If actors in the EU are serious (I have my doubts, as so far I see nothing more than riding recent anti-Trump sentiment in a hope to win popularity contest) they cannot rely on volunteer effort and gluing bunch of unrelated FOSS projects.
It is not enough to fund a new distro. EU needs its own OS (may be based on Linux, sure) and it needs to fully control it. Otherwise it will end up like most other FOSS projects, full of personal drama and technical bike-shedding.
There is definitely a lot of this happening, e.g. this is a 'collaboration suite for civil servants' that's basically a collection of existing open source projects
https://github.com/MinBZK/mijn-bureau-infra/
They show all the components they use here https://minbzk.github.io/mijn-bureau-infra/docs/category/com... and have set up guides for departments to operate it all on Kubernetes
I'm guessing from my own use of NextCloud, Matrix etc that this will simply be deemed not good enough compared to Google Workspace or Microsoft WhateverItsCalledNow as these things are pretty rough around the edges in my experience, but this looks like a good step in the right direction to me
All laudable efforts, but I'd love for my Dutch govt to actually use these broadly. With the support behind it to file down those rough edges for the benefit of all.
I like the thing the French have been cooking up, La Suite Numerique: https://github.com/suitenumerique#%E2%84%B9%EF%B8%8F-about-l...
It looks much more polished than a lot of the existing open source tooling, they've been building a lot of stuff in-house and really been paying attention to UX (which imo is the biggest problem with a lot of existing FOSS solutions).
I have high hopes this'll become a viable solution going forward, maybe even for non-gov users.
Help us spread the word? We have good engagement but we need more from governments.
https://openwallet.foundation/