u/vintologi24

I want the last 3 perms to only apply to xsim but i found no way to actually make that work so far. Unfortunately wine also tends to work with malware so i want proper safety measures in place.

This is also more permissive than ideal in other ways. Had a hard time finding proper documentation so i ended up with a frankenstein-profile consisting of a mix between 2 profiles i found online in addition to my own hacks for this. Not exactly ideal in terms of security.

Trying to find some good way to make profiles for specific windows programs.

#include <tunables/global>
"/**/{wine*,*.exe}" {
   #include <abstractions/base>
   #include <abstractions/fonts>
   #include <abstractions/nameservice>
   #include <abstractions/ubuntu-gnome-terminal>
  /dev/** r,
  /proc/** r,
  /sys/** r,
  /usr/** r,
  /lib/** r,
  /etc/** r,
  /tmp/** r,
  /var/** r,
  /opt/** r,
  /dev/dri/renderD128 rw, 
  /dev/dri/renderD128 rw,
  /usr/lib/wine/x86_64-unix/* rmix,
  /usr/bin/wineserver rmix,
  /usr/bin/wine rmix,
  /usr/lib{,32,64}/** mr,
  /run/media/CENSORED/CENSORED/** rwix,
  /home/*/.wine/** rwix,
  /run/media/*/CENSORED/** r,
  /tmp/.wine-*/server-*/ r,
  /tmp/.wine-*/server-*/* wk,
  /home/** r,
  /home/*/XSim/** rix,
  /home/*/Documents/CENSORED/CENSORED/CENSORED/data/** rw,
}

I saw a video earlier of someone demonstrating that malware often works in linux via wine and that can actually do real damage. That very obvious security issue has existed for over a decate and very little effort has been made to develop proper mitigation against it.

So i searched for apparmor profile assuming that by now someone must have figured out something good but nope i ended up having to try to figure those permissions out myself which is somewhat of a nightmare to get properly working (restrictive enough to be effective but permissive enough for wine to work with what i need it for).

I ended up having to go for a frankenstein config combining the 2 profiles i found online (not ideal):

#include <tunables/global>
"/**/{wine*,*.exe}" {
   #include <abstractions/base>
   #include <abstractions/fonts>
   #include <abstractions/nameservice>
   #include <abstractions/ubuntu-gnome-terminal>
  /home/** r,
  /dev/** r,
  /proc/** r,
  /sys/** r,
  /usr/** r,
  /lib/** r,
  /etc/** r,
  /tmp/** r,
  /var/** r,
  /opt/** r,
  /dev/dri/renderD128 rw, 
  /dev/dri/renderD128 rw,
  /usr/lib/wine/x86_64-unix/* rmix,
  /usr/bin/wineserver rmix,
  /usr/bin/wine rmix,
  /usr/lib{,32,64}/** mr,
  /run/media/CENSORED/CENSORED/** rwix,
  /home/*/.wine/** rwix,
  /run/media/*/CENSORED/** r,
  /tmp/.wine-*/server-*/ r,
  /tmp/.wine-*/server-*/* wk,
  /home/*/Documents/CENSORED/XSim/** rwix,
  /home/CENSORED/Documents/CENSORED/CENSORED/data/** rw,
}

While i am using Arch Linux as far as i know there isn't any distribution where configuring the security with apparomor is any easier. You can go for fedora or opensuse to get it preconfigured for SELinux but i heard that SELinux doesn't work well with wine either. SELinux is also even harder to configure properly than apparmor.

btw: a massive security issue "crackarmor" was discovered fairly recently so i am not sure if relying on apparmor os a particularly great idea. Probably wasn't the only big security issue.

I have of course tried other sandboxes as well but i did not find anything that seemed to work particularly well so it came back to using apparmor or SELinux but SELinux is not officially supported with my current distribution.

Having security be difficult to properly configure is obviously very bad since that massively increases the risk of catastrophic outcomes from user errors. Security needs to be properly enabled out of the box to get a system that is safe in practice for the typical users.

I heare that the flatpak sandbox ended up breaking the browser sandbox causing browsers to become significantly less secure if you install a flatpak version. It's also worth noting that while sandboxing can protect you there can be exploits possible allowing malware to escape the sandbox to do massive damage. The archwiki specifically warns against over-reliance on sandboxing:

https://preview.redd.it/37gkk6vf2z0h1.png?width=1221&format=png&auto=webp&s=6ff942a37ef53869f80def8b78b66ec3c24fcfb7

https://preview.redd.it/sgztm1pj2z0h1.png?width=905&format=png&auto=webp&s=5455286e8297c6759e6fc750d5ea5c0cdbdc34df

https://preview.redd.it/0me2if0m2z0h1.png?width=1214&format=png&auto=webp&s=709a10cea235ea6715cd6713a8d6137ebddc7fe1

You simply have to hope that the malware isn't sophisticated enough if you are unfortunate enough to run it on your system (even if you take precautions).

You are for example supposed to read the PKGBUILD file before installing anything from the AUR but i am pretty sure less than 10% actually bother doing that. I only started doing that fairly recently since i don't know how much i can trust others to discover malware before i install it (in the past it has been discovered in like 2 days so older than 3 days is probably safe).

Ubuntu has had a lot of problems with malware on their snap store. Way worse than the AUR while also having a lot less software.

A version of xz-utils containing a backdoor was accepted into various official repositories due to how difficult it was to discover even with the sourcecode.

Recently i have been trying to find some good way to restrict programs i can run with wine but honestly it's taking way too much effort and i still have not been able to get it working. I had to edit my syslinux config file to enable wine at startup but still it doesn't actually do anything for wine.

Looked into various sandboxing options and so far i have not found anything particularly good. Currently testing out apparmor to make wine less unsafe to use.

I found this old profile for wine but perhaps it doesn't work anymore (it doesn't get used at all it seems):

 #Example pruned wine-preloader profile, needs to be further expanded to be functional
 #include <tunables/global>
 /usr/bin/wine-preloader {
   #include <abstractions/base>
   #include <abstractions/fonts>
   #include <abstractions/nameservice>
   #include <abstractions/ubuntu-gnome-terminal> 
    /usr/bin/wine-preloader rix,
   /usr/bin/wineserver px,
   /usr/bin/wine mr,
   /usr/lib{,32,64}/** mr,
    /usr/share/wine/fonts/ r,
   /usr/share/wine/fonts/** r,
   /usr/share/wine/wine.inf r,
   /etc/fstab r,
    /home/** r,
    /opt/wine/.wine/** r,
  }
  /usr/bin/wineserver {
   #include <abstractions/base>
   #include <abstractions/nameservice>
    /usr/bin/wineserver r,
    /tmp/.wine-*/server-*/ r,
   /tmp/.wine-*/server-*/* wk,
    /home/*/ r,
   /home/*/Desktop/ r,
    /home/** r,
   /home/*/.wine/* rw,
   “/opt/wine/.wine/*/Program Files/**.exe/” r,
 }

Wine has been a security concern for me for a while since a lot of windows malware works with wine as well.

It's also worth noting that apparmor had a seriour security issue discovered recently so i don't know how much you can actually trust it. SELinux seems superior with proper configuration but good luck getting that properly working with Arch Linux.

Then there is the issue of having to read PGBUILD files to safely use the AUR which most people are not going to do (you can also wait a few days and hope that someone else will check it for you).

The biggest security risk is the human factor and here arch linux does a bad job at mitigating these risks by placing too much of a burden on the individual users.

I find myself wanting to play closed sourced games on linux but i need to figure out some better security measures.

I don't want to rely merely on not running games as root given the recent privilege escalation vulnerabilities.

I don't use steam. I get the games elsewhere where there is some vetting but i do still need to add some extra safety measures.

I also need to add restrictions to wine so i do not get malware by running unsafe windows software.

Previously i have mostly used windows 10 for gaming but that's not ideal since i am not able to disconnect all drives with data i care about when using windows 10 (i cannot disconnect any NVME SSD easily).

I watched overlord earlier and now i want more.

https://preview.redd.it/20l878wame0h1.png?width=1500&format=png&auto=webp&s=80d4ecd712051aa6b2cdf2ddbfe763fa62e30bd9

I want actual imperialism not "they attacked us first" to The Genius Prince's Guide to Raising a Nation Out of Debt, How a Realist Hero Rebuilt the Kingdom doesn't cut it.

I don't think i have any snaps or flatpaks at all. I do however have 2 appimages

I have the beta version of OCCT in order to test out their new ram stability test but that's kinda useless when it doesn't find any errors (might have something to do with my ram being stable).

I have 1 appimage for openshot because openshot moved to the AUR and i was never able to get a proper native version of openshot actually working.

I can't really test this myself due to my current DDR5 overclock being far too stable for that.

They did add something similar to testmem5 starting with version 17 (currently in beta)

One common security measure linux users tend to use is to require sudo to edit system files. That is indeed something good but there is a small problem.

Often the actual things of importance for people is things in the home folder but that has the no added protection opening up the door for ransomware to encrypt peoples important document/pictures without needing root access.

Of course if you know what you are doing you will back up all important files and not allow them to be edited without root access.

But recently another privilege escalation exploit was discovered and this time it was disclosed too early so it's currently not fixed which is very bad.

A big reason why linux was safer in practice (in the past at least) was that people got their packages from vetted official repositories instead of just downloading sketchy stuff online (like windows users often did in the past). Recently however gaming on linux has become more popular but that typically involved running closed sourced software from a platform where people has gotten malware in the past.

Canonical has very much pushed people towards their snap store only to have said store be full of malware. The geniuses at canonical didn't implement any proper security measure so when developers had their domains expire hackers simply renewed those domains to hijack developer accounts on the snap store (which allowed them to push their malware on people).

Often the repositories for various distributions are maintained by volunteer labor which ends up severely limiting the software that is available in those official repositories. In the case of Arch Linux far too many packages ends up being in the AUR but there has also been cases of people uploading malware to the AUR (you are supposed to read the PKGBUILD and understand it but i have a feeling most people don't bother actually doing that).

The appimage doesn't work as well as a proper install.

I can't build libopenshot withour getting errors.

-- Looking for system jsoncpp
CMake Error at /usr/lib/cmake/Qt5Gui/Qt5Gui_.cmake:4 (_populate_Gui_plugin_properties):
  _populate_Gui_plugin_properties Macro invoked with incorrect arguments for
  macro named: _populate_Gui_plugin_properties
Call Stack (most recent call first):
  /usr/lib/cmake/Qt5Gui/Qt5GuiConfig.cmake:240 (include)
  /usr/lib/cmake/Qt5/Qt5Config.cmake:28 (find_package)
  src/CMakeLists.txt:324 (find_package)

CMake Error at /usr/lib/cmake/Qt5Gui/Qt5Gui_QDDSPlugin.cmake:4 (_populate_Gui_plugin_properties):
  _populate_Gui_plugin_properties Macro invoked with incorrect arguments for
  macro named: _populate_Gui_plugin_properties
Call Stack (most recent call first):
  /usr/lib/cmake/Qt5Gui/Qt5GuiConfig.cmake:240 (include)
  /usr/lib/cmake/Qt5/Qt5Config.cmake:28 (find_package)
  src/CMakeLists.txt:324 (find_package)


-- Checking for module 'libavresample'
--   Package 'libavresample' not found
-- Checking for module 'babl'
--   Package 'babl' not found
CMake Error at /usr/lib/cmake/Qt5Gui/Qt5Gui_.cmake:4 (_populate_Gui_plugin_properties):
  _populate_Gui_plugin_properties Macro invoked with incorrect arguments for
  macro named: _populate_Gui_plugin_properties
Call Stack (most recent call first):
  /usr/lib/cmake/Qt5Gui/Qt5GuiConfig.cmake:240 (include)
  /usr/lib/cmake/Qt5/Qt5Config.cmake:28 (find_package)
  examples/CMakeLists.txt:15 (find_package)


CMake Error at /usr/lib/cmake/Qt5Gui/Qt5Gui_QDDSPlugin.cmake:4 (_populate_Gui_plugin_properties):
  _populate_Gui_plugin_properties Macro invoked with incorrect arguments for
  macro named: _populate_Gui_plugin_properties
Call Stack (most recent call first):
  /usr/lib/cmake/Qt5Gui/Qt5GuiConfig.cmake:240 (include)
  /usr/lib/cmake/Qt5/Qt5Config.cmake:28 (find_package)
  examples/CMakeLists.txt:15 (find_package)


-- PYTHON_MODULE_PATH: /usr/lib/python3.14/site-packages
-- RUBY_MODULE_PATH: /usr/lib/ruby/vendor_ruby/3.4.0/x86_64-linux
-- Doxygen found, enabling libopenshot documentation target
-- libopenshot Build configuration:
-- The following features have been enabled:

 * FFmpeg swresample, Audio resampling uses swresample
 * FFmpeg hwaccel, GPU-accelerated routines (FFmpeg 3.4+)
 * OpenCV algorithms, Use OpenCV algorithms
 * Parallel tests, Unit tests can use 32 processors
 * Unit tests, Compile unit tests for library functions
 * Non-default target 'coverage', Run unit tests and (if enabled) collect coverage data
 * Non-default target 'doc', Build formatted API documentation (HTML+SVG)

-- The following OPTIONAL packages have been found:

 * ImageMagick
 * Resvg
 * cppzmq
 * PkgConfig
 * babl
 * OpenCV (required version >= 4)
 * Threads
 * PythonInterp (required version >= 3)
 * PythonLibs (required version >= 3)
 * Ruby
 * Doxygen
 * Catch2

-- The following REQUIRED packages have been found:

 * OpenShotAudio (required version >= 0.6.0)
 * jsoncpp
 * Qt5Widgets
 * FFmpeg
 * OpenMP
 * ZeroMQ
 * Protobuf (required version >= 3)
 * Qt5Core (required version >= 5.15.18)
 * Qt5Gui
 * Qt5
 * SWIG (required version >= 3.0)

-- The following features have been disabled:

 * Coverage, analyze test coverage and generate report
 * IWYU (include-what-you-use), Scan all source files with 'iwyu'

libopenshot-git gets 2 errors in the checking process. I could still build the package by editing the packabe build file but openshot still doesn't work if i try to open it

Loaded modules from: /usr/lib/python3.14/site-packages/openshot_qt
INFO sentry: No sentry_sdk module detected (error reporting is disabled)

(process:3360520): Gtk-WARNING **: 13:25:38.044: Locale not supported by C library.
Using the fallback 'C' locale.
INFO app: ------------------------------------------------
INFO app:             Thu May  7 13:25:38 2026            
INFO app:               Starting new session              
INFO app: ------------------------------------------------
INFO app:             OpenShot (version 3.5.1)            
INFO app: ------------------------------------------------
INFO app: openshot-qt version: 3.5.1
INFO app: libopenshot version: 0.7.0
INFO app: platform: Linux-7.0.3-arch1-2-x86_64-with-glibc2.43
INFO app: processor: 
INFO app: machine: x86_64
INFO app: python version: 3.14.4
INFO app: qt5 version: 5.15.18
INFO app: pyqt5 version: 5.15.11
INFO app: Legacy timeline disabled via preferences; using QWidget backend.
INFO project_data: Setting profile to HD 720p 60 fps
INFO project_data: Apply default audio playback settings: 22050, 2 channels
INFO app: checking babl_ext_path: /usr/lib/python3.14/site-packages/openshot_qt/lib/babl-ext
INFO language: Qt Detected Languages: ['C']
INFO language: LANG Environment Variable: sv_SE.UTF-8
INFO language: LOCALE Environment Variable: 
INFO language: OpenShot Preference Language: Default
INFO ui_util: Initializing UI for MainWindow
INFO thumbnail: Starting thumbnail server listening on ('127.0.0.1', 38843)
INFO logger_libopenshot: Connecting to libopenshot with debug port: 5556
INFO keyframe_panel: Keyframe panel refresh skipped: no window reference
WARNING updates: Cannot add existing listener: <windows.views.timeline.TimelineView object at 0x7f64f0fb0560>
WARNING updates: Cannot add existing listener: <windows.views.timeline.TimelineView object at 0x7f64f0fb0560>
INFO transition_model: updating transitions model.
INFO effects_model: updating effects model.
INFO effects_model: Generating thumbnail for /home/vintologi/.openshot_qt/cache/displace.png (/usr/lib/python3.14/site-packages/openshot_qt/effects/icons/displace.png)
WARNING effects_model: /usr/lib/python3.14/site-packages/openshot_qt/effects/icons/displace.png is not a valid image file.
INFO effects_model: Generating thumbnail for /home/vintologi/.openshot_qt/cache/glow.png (/usr/lib/python3.14/site-packages/openshot_qt/effects/icons/glow.png)
WARNING effects_model: /usr/lib/python3.14/site-packages/openshot_qt/effects/icons/glow.png is not a valid image file.
INFO effects_model: Generating thumbnail for /home/vintologi/.openshot_qt/cache/shadow.png (/usr/lib/python3.14/site-packages/openshot_qt/effects/icons/shadow.png)
WARNING effects_model: /usr/lib/python3.14/site-packages/openshot_qt/effects/icons/shadow.png is not a valid image file.
INFO emoji_model: updating emoji model.
INFO main_window: InitCacheSettings
INFO main_window: cache-mode: CacheMemory
INFO main_window: cache-limit-mb: 2048
INFO main_window: cache-ahead-percent: 0.7
INFO main_window: cache-preroll-min-frames: 24
INFO main_window: cache-preroll-max-frames: 96
INFO main_window: cache-max-frames: 1024
INFO main_window: Creating CacheMemory object with 2147483648 byte limit
INFO preview_thread: QThread Start Method Invoked
Caught signal 11 (SIGSEGV)
---- Unhandled Exception: Stack Trace ----
INFO main_window: Initialized OMP threads to 12 (user setting)
  /usr/lib/libQt6Core.so.6       ( QObject::connectImpl(QObject const*, void**, QObject const*, void**, QtPrivate::QSlotObjectBase*, Qt::ConnectionType, int const*, QMetaObject const*)  + 0x111 )  [0x7f65289e78a1]
  /usr/lib/libopenshot.so.30     ( openshot::QtPlayer::SetQWidget(unsigned long)  + 0xf1  )  [0x7f6529eff6b1]
  /usr/lib/python3.14/site-packages/_openshot.so (                                           + 0x1695f3)  [0x7f652a7695f3]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x1a4ab4)  [0x7f652c1a4ab4]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x27e27a)  [0x7f652c27e27a]
  /usr/lib/libpython3.14.so.1.0  ( _PyEval_EvalFrameDefault                  + 0x5be4)  [0x7f652c188894]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x1b326b)  [0x7f652c1b326b]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x1f70d3)  [0x7f652c1f70d3]
  /usr/lib/python3.14/site-packages/PyQt5/QtCore.abi3.so (                                           + 0x1ad0b7)  [0x7f6516fad0b7]
  /usr/lib/python3.14/site-packages/PyQt5/QtCore.abi3.so (                                           + 0x1ad99f)  [0x7f6516fad99f]
  /usr/lib/python3.14/site-packages/PyQt5/QtCore.abi3.so (                                           + 0x18e04c)  [0x7f6516f8e04c]
  /usr/lib/libQt5Core.so.5       (                                           + 0x32483e)  [0x7f6516b2483e]
  /usr/lib/libQt5Core.so.5       ( QThread::started(QThread::QPrivateSignal)  + 0x3f  )  [0x7f65168f2daf]
  /usr/lib/libQt5Core.so.5       (                                           + 0xf76bc)  [0x7f65168f76bc]
  /usr/lib/libc.so.6             (                                           + 0x981b9)  [0x7f652bc981b9]
  /usr/lib/libc.so.6             (                                           + 0x11d21c)  [0x7f652bd1d21c]
---- End of Stack Trace ----
INFO main_window: Initialized FFmpeg threads to 8 (user setting)
ERROR main_window: Unhandled crash detected: -linux-/usr/lib/libQt6Core.so.6 QObject::connectImpl
QObject::killTimer: Timers cannot be stopped from another thread
QObject::~QObject: Timers cannot be stopped from another thread
Caught signal 11 (SIGSEGV)
---- Unhandled Exception: Stack Trace ----
  /usr/lib/libQt5Gui.so.5        ( QTextLayout::beginLayout()                + 0x23  )  [0x7f6515443dd3]
  /usr/lib/libQt5Gui.so.5        (                                           + 0x43c5a6)  [0x7f651563c5a6]
  /usr/lib/libQt5Gui.so.5        ( QFontMetrics::boundingRect(QRect const&, int, QString const&, int, int*) const  + 0xf6  )  [0x7f65154152f6]
  /usr/lib/libQt5Gui.so.5        ( QFontMetrics::size(int, QString const&, int, int*) const  + 0x40  )  [0x7f6515415380]
  /usr/lib/libQt5Widgets.so.5    (                                           + 0x31f928)  [0x7f6515d1f928]
  /usr/lib/libQt5Widgets.so.5    (                                           + 0x3203d7)  [0x7f6515d203d7]
  /usr/lib/libQt5Widgets.so.5    ( QMenuBar::heightForWidth(int) const       + 0x45  )  [0x7f6515d2af85]
  /usr/lib/python3.14/site-packages/PyQt5/QtWidgets.abi3.so (                                           + 0x180fbc)  [0x7f6516380fbc]
  /usr/lib/libQt5Widgets.so.5    ( QMenuBar::changeEvent(QEvent*)            + 0xec  )  [0x7f6515d27dfc]
  /usr/lib/python3.14/site-packages/PyQt5/QtWidgets.abi3.so (                                           + 0x1836e4)  [0x7f65163836e4]
  /usr/lib/libQt5Widgets.so.5    ( QWidget::event(QEvent*)                   + 0x1af )  [0x7f6515ba22af]
  /usr/lib/python3.14/site-packages/PyQt5/QtWidgets.abi3.so (                                           + 0x1803fc)  [0x7f65163803fc]
  /usr/lib/libQt5Widgets.so.5    ( QApplicationPrivate::notify_helper(QObject*, QEvent*)  + 0x8f  )  [0x7f6515b5bf4f]
  /usr/lib/python3.14/site-packages/PyQt5/QtWidgets.abi3.so (                                           + 0x2dad27)  [0x7f65164dad27]
  /usr/lib/libQt5Core.so.5       ( QCoreApplication::notifyInternal2(QObject*, QEvent*)  + 0x138 )  [0x7f6516ae6928]
  /usr/lib/libQt5Widgets.so.5    ( QApplication::setStyle(QStyle*)           + 0x43a )  [0x7f6515b56faa]
  /usr/lib/libQt5Widgets.so.5    ( QApplication::setStyle(QString const&)    + 0x21  )  [0x7f6515b584f1]
  /usr/lib/python3.14/site-packages/PyQt5/QtWidgets.abi3.so (                                           + 0x2d50cb)  [0x7f65164d50cb]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x1a4ab4)  [0x7f652c1a4ab4]
  /usr/lib/libpython3.14.so.1.0  ( _PyObject_MakeTpCall                      + 0x46c )  [0x7f652c16d39c]
  /usr/lib/libpython3.14.so.1.0  ( _PyEval_EvalFrameDefault                  + 0x2d74)  [0x7f652c185a24]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x1bb5b1)  [0x7f652c1bb5b1]
  /usr/lib/libpython3.14.so.1.0  ( _PyObject_MakeTpCall                      + 0x48b )  [0x7f652c16d3bb]
  /usr/lib/libpython3.14.so.1.0  ( _PyEval_EvalFrameDefault                  + 0x3e9f)  [0x7f652c186b4f]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x17ec04)  [0x7f652c17ec04]
  /usr/lib/libpython3.14.so.1.0  ( PyEval_EvalCode                           + 0xc0  )  [0x7f652c26b550]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x2aae9f)  [0x7f652c2aae9f]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x2ab8ba)  [0x7f652c2ab8ba]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x2ab20b)  [0x7f652c2ab20b]
  /usr/lib/libpython3.14.so.1.0  (                                           + 0x2aade0)  [0x7f652c2aade0]
  /usr/lib/libpython3.14.so.1.0  ( Py_RunMain                                + 0x2c1 )  [0x7f652c25de41]
  /usr/lib/libpython3.14.so.1.0  ( Py_BytesMain                              + 0x3a  )  [0x7f652c25719a]
  /usr/lib/libc.so.6             (                                           + 0x27741)  [0x7f652bc27741]
  /usr/lib/libc.so.6             ( __libc_start_main                         + 0x89  )  [0x7f652bc27879]
  /usr/bin/python                ( _start                                    + 0x25  )  [0x5651031bb045]
---- End of Stack Trace ----

In linux software you want to have often need dependencies that in turn need even more dependencies (and so on) and while having shared libraries obviously does save storage size it comes with the price of less flexibility.

I sometimes have to hold back transmission/qbittorrent from being the most recent version due to the private trackers i want to be able to use not yet having approved the most recent version.

Transmission 4.0.6 in particular has various problems which forced me to remain on version 4.0.5 for far too long which ended up creating issues with other packages (had to use an old version of another package to the point where i was no longer able to have the dolphin emulator installed). I eventually upgraded but i was kinda forced to.

Rather than actually providing for more flexibility when it comes to proper packages (such as letting you also install some older version for software that needs it) the solutions pushed now are flatpaks, appimages and snaps.

https://preview.redd.it/hzess9jk0mzg1.png?width=758&format=png&auto=webp&s=6148bf20b7ccfcb97a67d3b6654f9385f0163aa5

0. The package manager and system is build upon the assumption that you are just going to be using the lastest software and packages and for the most part that's fine but sometimes you end up having to use an older version and that can create some problems.

I sometimes have to hold back transmission/qbittorrent from being the most recent version due to the private trackers i want to be able to use not yet having approved the most recent version.

Transmission 4.0.6 in particular has various which forced me to remain on version 4.0.5 for far too long which ended up creating issues with other packages (had to use an old version of another package to the point where i was no longer able to have the dolphin emulator installed).

But this might become less of a concern going forward as flatpacks and appimages become more widely used. In the case of y-cruncher i simply downloaded various versions from the official website.

1. I end up having to use the AUR a decent amount due to the official repositories often not having what i need. AUR packages is however not properly vetted and anyone can upload stuff there which create a risk for supply side attacks (there has already been cases of malware having been uploaded to the AUR).

You are actually supposed to read the package build file and source code in general before installing but a lot of people are obviously not going to do that.

2. The general linux problem of software and games simply not working at all or working poorly due to only/mainly having been released for windows. This seems to be slowly getting better but i have still not found a good option for running cad software (having to boot windows 10/11 for it is obviously not a good option).

Starting on some distribution not based on arch probably isn't even going to help you that much anyway since a lot of what you learn then wouldn't be transferable anyway, especially not if you start on something like linux mint and don't even learn basic terminal commands.

Yes there can be problem that emerges if you use an arch-based distro but that is the case with any linux distribution and also the case even if you use windows.

https://preview.redd.it/ig3d1gca86zg1.png?width=1503&format=png&auto=webp&s=481272739f196e8fb0d20fed846ca9d161dea8d6

While other distributions can offer better stability that comes at the price of having to wait longer for new software.

Opensuse tumbleweed and fedora are still decently up to date and while those distros (and distros based on it) does seem to make sense for a lot of people that is not about them being beginners, it's simply about what you prefer using.

I don't think debian stable makes sense on desktop though, it's simply too far behind.

Good distributions:

Arch Linux
CachyOS
EndeavourOS
Garuda Linux

Fedora
Nobara

opensuse tumbleweed

bad:

debian (far too behind to be a good option for desktop).

Manjaro (good idea but awful execution and management, sinking ship)

Trash:

Ubuntu (worse than windows).

Linux mint (shit-lite version of ubuntu) unless you go for the debian edition that belongs in the bad category.

pop! OS.

Any linux that still has not been updated to fix CVE-2026-31431.

I had one of my windows 10 installs get bricked (probably beyond repair) due to one of my cores going bad (13900KF).

I also had a bad habit of sometimes booting straight into windows 10 to run testmem5 when i had trouble getting to stability in that particular test, seems like i got away with it though.

I never had any issues merely from booting into linux with unstable overclock but i did once brick my Arch Linux install due to running system update with very unstable CPU settings (fixed it by doing a fresh installation on another SSD and then copying the files over to overwrite the corrupt system files).

It might be a good idea to have a separate operating system install to test overclocks but i am not sure what the best option for that actually is. There is also some stuff you can run just from a USB.

Example good stresstests and benchmarks you can run on linux are:

Y-cruncher (very versatile, i have multiple versions installed)
Stressapptest (you can use WSL to run it in windows)
Mprime (linux equivalent of prime95)
OCCT (recently added something similar to testmem5)
Intel MLC (memory benchmark)

Still windows only:

memtest pro (paid)
Aida64 (paid version is better)
karrhu ram test (paid)
The original testmem5 (no annoying push towards a subscription).

I recently checked /sys/firmware/efi/efivars/ and most files there are read only and permissions cannot be changed.

Some of the files can be edited though.

motherboard: msi pro z790-p

I did hear about linux developers having made some files immutable to prevent people from accidentally wrecking their bios with something like "rm -rf /*".

Even having to reset bios would be bad since that would mean having to redo my DDR5 overclock (which i already spent way to much time to get properly stable).

I do sometimes sometimes boot windows after disconnecting drives with important data but even that might pose some risk if some of the eufi data stored on the motherboard can be modified from the operating system.

Steam OS is currently based on Arch Linux. Other good distributions based on Arch Linux are

CachyOS
EndeavourOS
Garuda Linux

They have have vanilla Arch Linux easier to install (via archinstall) but it's still not quite as user friendly as most distributions based on Arch Linux.

If you don't want to use something based on Arch Linux your best bet might be to opt for Fedora 44 or some distro based on it (Bazzite and Nobara are both based on fedora).