secureblue · EsseLowNitro · May 23, 2025 · May 22, 2025 · May 22, 2025 · May 23, 2025
@@ -95,7 +95,7 @@ Start from your own fork with a branch for the pull request/feature you want to
 Once it's done building, go to your VM running Fedora Atomic and rebase to your newly built image. This is a string that starts with 'rpm-ostree rebase ostree-unverified-registry:ghcr.io/', followed by the repo and package name. This can be found by checking the "packages" section in the sidebar of your fork. Take the docker pull command and copy the repo and package reference. Then, append the tag, which is in the format `br-{branchName}-{fedoraVersion}`. Your command should look like this:
 
 ```
-rpm-ostree rebase ostree-unverified-registry:ghcr.io/YOURUSERNAME/YOURIMAGENAME:br-YOURBRANCHNAME-41
+rpm-ostree rebase ostree-unverified-registry:ghcr.io/YOURUSERNAME/YOURIMAGENAME:br-YOURBRANCHNAME-42
 ```
 
 ## [Building Locally](#building-locally)

@@ -68,7 +68,7 @@ When possible, we do upstream our changes. For example, collaborating with KDE t
 ### [Is this an install script?](#script)
 {: #script}
 
-No. When you run our installer, you are *fully replacing* the system. secureblue is not an install script, nor an add-on to a Fedora installation, nor a distro in the traditional sense. It is a set of [bootable container](https://github.com/containers/bootc) images shipped via GitHub's container registry. These images are rebuilt daily and pushed to GitHub's container registry. These images are then pulled in by `rpm-ostree`, which stages updates as a pending deployment for the next boot. To view information about your current local deployments and remotes, run `rpm-ostree status`.
+No. When you run our installer, you are *fully replacing* the system (excluding your homedir). secureblue is not an install script, nor an add-on to a Fedora installation, nor a distro in the traditional sense. It is a set of [bootable container](https://github.com/containers/bootc) images shipped via GitHub's container registry. These images are rebuilt daily and pushed to GitHub's container registry. These images are then pulled in by `rpm-ostree`, which stages updates as a pending deployment for the next boot. To view information about your current local deployments and remotes, run `rpm-ostree status`.
 
 ### [Why is Flatpak included? Should I use Flatpak?](#flatpak)
 {: #flatpak}

@@ -21,7 +21,9 @@ GNOME and Sway (Silverblue and Sericea images, respectively) secure privileged W
 
 In addition, GNOME also provides weak <a href="https://gitlab.gnome.org/GNOME/gnome-desktop/-/issues/213">thumbnailer sandboxing</a> in Gnome Files, which is an effort to mitigate <a href="https://scarybeastsecurity.blogspot.com/2016/11/0day-exploit-compromising-linux-desktop.html">attacks via thumbnailers</a>. No environment aside from GNOME provides any thumbnailer sandboxing.
 
-This is a relative recommendation between the desktop environments available on secureblue. GNOME and Sway have some extra security niceties like the ones listed above. However, this should not be misconstrued as saying that either one solves any of the fundamental issues with desktop Linux security. For more details, consult the table below.
+It should also be noted that our Sericea images do not contain the wlroots desktop portal, despite it being commonly installed alongside Sway. This is because the portal reintroduces the screencopy vulnerability described above, which would undermine the security improvements in Sway for sandboxed applications. The downside of this is that by default on our Sericea images, flatpaks and applications that haven't implemented protocol support (like chromium-based browsers) are entirely prevented from screenshotting and screensharing. If necessary, Sway users can toggle this using `ujust toggle-wlr-screenshot-support`, but doing so will reintroduce the aforementioned screencopy vulnerability.
+
+This section is a relative recommendation between the desktop environments available on secureblue. GNOME and Sway have some extra security niceties like the ones listed above. However, this should not be misconstrued as saying that either one solves any of the fundamental issues with desktop Linux security. For more details, consult the table below.
 
 | DE/WM      | Secures privileged Wayland protocols? | Thumbnailer sandboxing? | Stability    | Recommendation                                                                                           |
 |------------|---------------------------------------|-------------------------|--------------|----------------------------------------------------------------------------------------------------------|

@@ -28,8 +28,6 @@ The following is advice on what to do before and during the installation of a Fe
 
 {% include alert.html type='tip' content='If you don\'t already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite images, Sericea (Sway Atomic) for Sericea images, and CoreOS for all the securecore images.<br>For more details on the available images, have a look at the <a href="/images">list of available images</a> before proceeding.' %}
 
-{% include alert.html type='caution' content='The Fedora 41 ISO contains a bugged version of rpm-ostree. As such, after using it to install Fedora Atomic, you <em>must</em> run rpm-ostree upgrade and then restart, before running the secureblue installer.' %}
-
 Before rebasing and during the installation, the following checks are recommended.
 
 ### [Fedora installation](#fedora-installation)
@@ -103,6 +101,7 @@ bash install_secureblue.sh
 - [Setup system DNS](#dns)
 - [Bash environment lockdown](#bash)
 - [LUKS Hardware Unlock](#luks-hardware-unlock)
+- [Flatpak Permissions Tuning](#flatpak-permissions-tuning)
 - [Validation](#validation)
 - [Optional: Trivalent Flags](#trivalent-flags)
 - [Read the FAQ](#faq)
@@ -133,6 +132,9 @@ rpm-ostree kargs \
 ### [Enroll SecureBoot key](#secureboot)
 {: #secureboot}
 
+
+{% include alert.html type='note' content='GNOME users on Nvidia images may notice that Gnome Software prompts them to create a new secureboot key. This prompt can and should be ignored, and the command below used instead.' %}
+
 ```
 ujust enroll-secureblue-secure-boot-key
 ```
@@ -243,6 +245,10 @@ ujust setup-luks-tpm-unlock
 
 Type `Y` when asked if you want to set a PIN.
 
+### [Flatpak Permissions Tuning](#flatpak-permissions-tuning)
+
+Consult our [Flatpak article](/articles/flatpak) for guidance on tuning Flatpak permissions.
+
 ### [Validation](#validation)
 {: #validation}