In 2025 we have a problem with Big Tech manufacturers cozying up to federal governments: Microsoft, Apple, Facebook, Google, and Amazon have all contributed to the upcoming inaguration of President Donald Trump of the United States. While I don't want to delve into personal politics here, I firmly believe that regardless of political affiliation, Big Tech cozying up to federal governments is a bad thing. While Big Tech has produced more secure operating systems in recent years, the one thing we exchange for those systems is trust; trust not to abuse us, our data, and to abuse our rights. By cozying up to the US federal government, they have undermined the trust of everyone who may not be comfortable with the US government entering into their personal lives. This doesn't have to include political dissidents, but can very well include citizens of different countries who are uncomfortable with a foreign government knowing so much about them. With this context in mind, I have decided to withdraw any endorsement for Big Tech operating systems, and instead write this Shortie containing various endorsements for open projects.
Qubes OS: Qubes OS can only really be described as a "meta OS", it is an operating system designed to run other operating systems seamlessly. Qubes OS sandboxes default services like USB controllers, network cards, etc. into their own virtual machines, or "Qubes". By default, Qubes OS leverages the principle of least privilege to assure that a compromised Qube cannot own the whole system. In fact, Qubes assumes you are going to get hacked, and has features to help you recover from being hacked. One of which is that qubes are immutable by default, and inherit their root from their template qubes, while having a persistent home folder. However, you can leverage disposable qubes for a more secure experience. Qubes also includes a great backup and restore system, with a paranoid restore mode to help securely recover from a fully owned system. Beyond hypervisor-leveraged sandboxing, in-qube hardening is lacking (to be generous), so it is on the user to use secure systems in their Qubes. I personally recommend replacing passwordless sudo with a dom0 prompt at a minimum, and using Fedora with Brace, Kicksecure, or OpenBSD HVMs for your Qubes templates or standalones. Qubes OS has a learning curve, but is by far the most secure, open source, desktop operating system on the market.
Secureblue: Secureblue is a hardening project for Fedora Silverblue. Silverblue is a great starting point for Linux hardening, given that Redhat continuously adds new security technologies to their Fedora lineups. Notably for Secureblue, Fedora has enabled sandboxing for many system services, and all installed apps via Flatpak are sandboxed by default. This provides a great base to start with, but Secureblue also implements hardening from the Graphene OS project and Kicksecure. Not to be outdone, Silverblue also adds its own hardening including mitigating LD_PRELOAD attacks, enabling flathub-verified repos by default, installing bubblejail to sandbox apps installed outside of Flatpak, an optional lockdown mode for Flatpak app permissions, removing suid-root from binaries, and including a hardened Chromium fork based off of Vanadium. Overall, this is a great pick for a system that is more adequately sandboxed than other Linux systems on desktop.