Theo is an ass. That's the nicest way to say it. If you dealt with him before, you'd know what I'm talking about.

Most viable Linux malwares out there are designed to achieve persistence via installing kernel modules.

Still waiting to see someone influential raise a demand for consortium consisting of major OS and hardware vendors that grants keys instead of leaving all control to microsoft

That was just one example. I very much doubt that there's a shared runtime for every dependency possible.

I agree to your response. It should have no "tie-in" with Android, which is a spyware hole for Google, nor third-party software. It should stand on it's own except it should have chains of trust down to the firmware on that specific computer without relying on additional hardware. If that means certificates, so be it. If you don't like it (not directed at you, specifically), come up with a better idea. Linux always advocates "if you don't like it, here's the source code - changes it how you like it". If it pisses people off that they don't like how something works, but aren't willing to learn how to change it, then that's their problem.

The "application-based firewall" is an interesting concept that's been done before (think Sculpt OS or Tails). However, it's executed in a way that is user-hostile and won't attract any third-party application developers.

Sandboxing is an idea that works in concept, but fails in practice. An application that is given access to data stores can easily corrupt it, even if the OS is protected from modification. The dependency issues are far from resolved, since there is little to no end-user notification regarding outdated versioning of dependency packages. Dependency versioning is at the mercy of the sandboxed application package. It's often used as a crutch for lazy app developers.

Flatpak has runtimes and they can be fixed independently. So your OpenSSL can be fixed easily without updating the flatpak package. The advantage of flatpak is that you can have different runtimes at the same time. Something that is not possible with traditional distributions.

And if the original developer will produce the flatpak you will not get same randomly broken package of your distribution because it is tested. As a developer I very often have seen broken packages because the wrong library version was used. Some packagers even patched the original source without any understanding. It would be nice if this FUD of superior packaging of distributions could stop.

One can only hope you're joking with large parts of your comment.

No, there shouldn't be any deep integration with some snake oil security suite. When I want to use a handbrake I'll just use that. And never ever in a million years it should do what Windows Defender does. That is enforcing itself upon the user and turning itself on randomly after you explicitly turned it off. The only relevant reatures that would actually make a difference would be protected folders so not just any app can write to them, and some kind of rudimentary VM to analyze unknown files. But virus detection programs are pretty much snake oil. They can only check signatures, which can be circumvented very easily, and they can use heuristics which just never work. What a great way to teach the user a very false sense of security.

And no, Flatpaks and Snaps are really the last type of packages you want to put your trust into. Instead, you should bring sandboxing to the normal Linux apps. Not to mention that Snaps are the worst pile of garbage, but both systems and AppImages repeat the worst and most unforgivable sin that Microsoft does for decades: Having all apps package every dependency themselves. With a proper system managed by the likes of apt, rpm and co, if there is a critical vulnerability in a dependency like OpenSSL and others that very often have big impact security flaws, you update that one package, and you're good to go. With Windows, Flatpaks, Snaps and AppImages you litteraly have to pray that the application will be updated quickly. But you can't even be sure that it does. Or do you have a way that magically tells you which libraries are used in which version of an app? At least there isn't any user-friendly way.

And no, they should most definitely not remove a way to hide that pile of crap of an "information screen". The large majority of users will, if they ever use secure boot with Linux, use a Microsoft signed shim to do the trick, which is by far the least trustworthy approach. Then you can just turn it off all together, the result would be the same. And no, the majority of users will never enroll their own keys with all the hassle connected to it. Especially given that GNOME isn't just any DE used by only tech-savvy users, but that's mainly used by Ubuntu and Fedora, the two distros that probably are used the most by Linux newbies. They shouldn't be bothered with stuff that wouldn't have much of a benefit but only scare them away because of the amount of work needed. If Linux distributions are able to check all the boxes in a user-friendly way, sure, go ahead and shove it in their faces if things aren't right. But as long as it's connected with way too much trouble or half-assed solutions like kissing Microsoft's ass, just don't show it to newbies. It will only have negative results.

Yup exactly, the core principles behind SecureBoot and TPM are actually quite sound its just the implementation is absolute s**t. I think this is more of a result of crappy software that motherboard makers produce rather than Microsoft specifically (obviously the BIOS will have Microsoft keys as default and there isn't really such a thing as a "linux key" unless its a shim at which point SecureBoot is kinda pointless).

Yes, that's why all those millions of compromised desktop boxes in the massive botnet swarms are always Linux systems.

Oh wait, no - they are all Windows boxes. How odd.