I like the concept of sandboxing, of device manager and restricted user, in certain cases it can be really useful to implement, and I’d like to try doing something like that on desktop.

I would install Android directly but desktop apps are usually superior in many ways.

At the same time I think stuff like qubes OS is too much…

Maybe leveraging flatpaks or docker can be a solution, toolboxes too?

I’ve also tried Nixos but I don’t think it is what I’m looking for.

  • dajoho@sh.itjust.works
    11·
    12 hours ago

    I hate to be that guy

    That’s okay. Don’t be.

    but OP gave no indication of their gender.

    This is unnecessary white-knight pseudo-concern-trolling designed to derail from the topic at hand. This isn’t a conversation about gender. If I misgendered dontblink, I’ll send 5$ as an apology. You don’t, however, get to choose the language I use, as I equally don’t get to choose yours. Now, back to the Linux discussion:

    Could you explain what exactly this “tight integration” pertains? AFAIK these are just regular old global-state distros but with read-only snapshotting for said global state (RPM-ostree, “immutable”).

    Certainly. That’s essentially absolutely correct. In the case of Bazzite specifically:

    • Distrobox comes pre-installed, enabling application installation inside sandboxed Podman containers with restricted access to /dev. Unlike Toolbox, Distrobox can be configured with different and fully isolated home folders, meaning containers won’t have access to your GPG/SSH keys or other user files unless explicitly configured.
    • ujust is pre-installed (docs), providing helper scripts for various tasks, including easy virtualization setup for virt-manager/qemu/kvm for running completely isolated operating systems.
    • BoxBuddy is pre-installed, a GUI for easy management of distrobox containers, also allowing you to alias/sync .desktop files from sandboxes to your main home folder, allowing you to start sandboxed GUI apps from your normal GNOME/KDE menu.
    • Waydroid integration can be added via ujust, allowing launching of sandboxed, isolated Android apps directly from the desktop environment.

    That is their one and only stated goal: Run games.

    That’s incorrect. While gaming is their primary focus—especially with the “big-screen” edition that boots directly into Steam—Bazzite also offers fully functional, polished desktop environments with thoughtful defaults. For example, even if only an insignificant tweak, GNOME on Bazzite has minimize/maximize buttons enabled by default (unlike Fedora Silverblue). It also supports developer workflows and even isolated, containerized systemd services. (docs). They offer Bazzite editions which boot directly to the desktop environment as default, leaving Steam as only a normal Flatpak application.

    Could you point out the specific concrete things Bazzite does to improve separation between applications beyond the sandboxing tools that are available to any distribution?

    None, beyond having them pre-installed out of the box. But it’s important to distinguish that dontblink asked for a solution, not the solution. I suggested Bazzite GNOME because it provides a nearly complete setup without needing to manually mess with rpm-ostree first. Everything it can do can also be done on other similar immutable systems with a little extra work.