All this discussion when we still have no comparison actually showing the impact on the Deck's APU in several games.

It can run a full KDE desktop and has the ability to do anything that my PC can do. That is what it is was designed for and what it is supposed to do. The Steam Deck isn't a locked-down PS4, PS5, or Nintendo device that doesn't even include a developer mode to run unsigned code like an Xbox. It's a fully open PC that just happens to be designed to play games.

I'm ROFLing because if you're running proprietary code 99% of the time then you probably need every protection available. The more open you are, the more you need to protect yourself.

Unknown, proprietary code with the ability to connect to hundreds and thousands of random people who may or may not be running memory scanners and hacks who can probe your OS's source code for every hole available....Nope, totally not a scenario that requires security.

For that matter, because I keep reading "Flatpak" like it's some 1337 security tool -- the Flatpak version of Firefox or Chrome or whatever isn't going to save you when you forget it on the bus and some random opens up your browser's password manager so don't disable your lockscreen so you can game 5 seconds sooner...and if you're an American our courts have ruled that no lockscreen implies that you don't care about privacy so if you're stopped by a cop they can take your device and search it for whatever if it you don't lock it up.

Yes, make it slower and/or drain battery faster. Just what you want from a mobile gaming device.

Not even that, you're arguing a *theoretical* impact to fps or battery life. Typhoon in a teacup time.

The fact that you are narrow-minded does not imply everyone is like you.
I know 6 Steam Deck owners around, me included. Half of them use it as a computer occasionally, I use it as a computer primarily.

The fact it is an actual computer that does support also being a "plain gaming console with Steam games support" was pretty much a core advantage for many people.

1) Steam itself contains an embeded browser component (CEF) which is based in Chromium but lags behind it (including in matters like security patching)

2) Steam also frequently lags behind the latest version of CEF (and disables a few of its security features like browser sandboxing)
eg: https://www.ghacks.net/2016/02/08/st...omium-browser/

3) You might be tempted to argue that CEF is only used to browse websites that Valve controls (local pages like the steam library and remote ones like the steam store), but remember the same CEF component powers the Steam Overlay's browsing feature that players use to consult 3rd-party gaming websites while playing) and that Steam discussion forums can link to external URLs even outside the overlay... there's even 3rd-party payment UI webpages that run in CEF while purchasing (!) games

4) Even if you do nothing else with the Deck besides playing, and even if you don't store payment credentials in your account, wallet credits and a user's purchased games library make the steam account itself a coveted target for hackers... there's a truckload of news about stolen steam accounts, usually via 3rd-party websites asking users to log into steam to integrate some bait feature to the account, but that's just 1 way to get the credetials... hacking the browser or the device is another

5) Current malware can be deployed automatically, scout for eligible targets and scan for known vulnerabilities left open (without direct intervention from the bad actor for each target) so unlike in the old days where a single big target was preffered, we have bad actors who target small targets en-masse too... the effort is no longer that big, whereas the risk of small/home targets fighting back is much much smaller

6) Valve can't model security threats only over "YOUR use" or "the most common use" of their device, they must model over at the very least all advertised uses (and they do actively offer the steam deck as a multi-purpose device, with desktop mode, firefox, google chrome, ...

7) As already mentioned in previous comments Steam games can also carry exploits, on purpose or by accident... I mean... just look at garry's mod vulnerabilities... sheesh, that sort of thing is just ugly!

8) We're talking more than a million identical hardware with identical software which are probably easy to distinguish from the rest of the word, a reasonably homogeneous set of vulnerabilities and desired money-making targets... the Deck has a lot a bad actor would want as a target

Devices should be secure by default. If the Steam Deck has an option to run a full fledged desktop, including of course a web browser, it should provide that option in a secure way. If someone wants to take the risk, as the Steam Deck is an open machine, you always have the option to disable mitigations. But **security must always be the default option**.

tl;dr: if at one end of the spectrum we have fear-mongering, at the other we have wreckless-mongering​


it's also worth pointing out that a bad actor might lobby for insecure defaults and propagate a culture where people think it's ok to disable security features when in fact it isn't

i'm not accusing anyone posting here complaining of security feature impacts in Steam Deck perf of being duch a bad actor... but they should think long and hard if they actually know what they're talking about, or if they're just echoing a line of thought they picked up elsewhere

they might be inadvertedly helping a bad actor spread and reinforce unsafe behaviour

not to mention they're opening themselves for targeted attacks... after all, if I was such a bad actor I'd totally test for known vulnerabilities on the IP of someone publicly claiming they're not a big deal and that protections should be disabled, even in cases an exploit is expensive to run en-masse

I never said knowledgeable people think they safe, thats what people who think patches are everything tend to think though. Thats why I used the world knowledgeable, I secure my system using different layers to mitigate my risk, and apply common sense to what I do. But I still dont think I am safe, if you want safe disconnect from the internet and only run analysed binaries on your system, aka enterprise style lockdown.

In fact there is many enterprise who are locked down, and running unpatched systems from several years, and will likely be lower risk than a casual internet user on a fully patched windows.

"I am patched so I can start using executables from untrusted sources no problem."

For those who are risk averse, if it makes you feel better, cripple your CPU, but be aware the OS side spectre mitigations arent actually even a proper patch, they cut it back because the performance hit of a proper mitigation would have been unsellable to the public. Likewise multiple mitigations are off by default even when patched for similar reasons. OS developers are practicing what I am telling you themselves.

The same reason banks dont stick armed guards outside of every bank branch, that would be the most secure, but not necessarily necessary after a risk analysis is carried out.​

With this said it doesnt mean I am disabling these mitigations on every device I touch, thats not the case, its a decision I made on my gaming machine. On servers that I manage with other's data, I use the OS defaults, same with my work laptop, on my own personal VM hypervisor and its guests, I do disable though, as its only my own stuff, and not much is exposed to the public internet.