←back to thread

Show HN: Omarchy on CachyOS

(github.com)
63 points theYipster | 1 comments | 15 Sep 25 05:13 UTC | HN request time: 0s | source

An install script to create a strong and stable blend of Omarchy on top of CachyOS. You must install CachyOS first (please read the README file.)

Feedback and contributions welcome!

Show context
sunshine-o ◴[15 Sep 25 08:49 UTC] No.45247511[source]
Omarchy and CachyOS are very interesting but they do not look serious about security [0] [1].

I mean in this day and age we all agree you need disk encryption (for a least 20 years) but what about SELinux, application sandboxing for example?

Especially for a desktop OS like Omarchy shipped with a bunch of apps and "plugins".

This has been a Linux Desktop weakness for more than a decade (compared to macOS, Windows and Android). App sandboxing is a bit sketchy and hard to get right.

The fact they do not explicitly state their strategy regarding those things make me believe this is a bit amateurish.

- [0] https://wiki.cachyos.org/cachyos_basic/faq/#security--best-p...

- [1] https://learn.omacom.io/2/the-omarchy-manual/93/security

replies(2): >>45247983 #>>45248117 #
Galanwe ◴[15 Sep 25 10:01 UTC] No.45247983[source]
> Especially for a desktop OS like Omarchy shipped with a bunch of apps and "plugins".

Omarchy is _just_ a set of scripts to have a nice looking Arch Linux and some helper scripts for day to day tasks. It's not a distribution per se, it doesn't have repositories or packages of its own.

Therefore, your criticism of app sandboxing is more for Arch than Omarchy IMHO.

replies(2): >>45248317 #>>45250066 #
sunshine-o ◴[15 Sep 25 11:08 UTC] No.45248317[source]
> Therefore, your criticism of app sandboxing is more for Arch than Omarchy IMHO.

I've never been an Arch user but deeply respect the project since their wiki as always been my favorite documentation.

From what I understand Arch is very much DIY, non opinionated and you you need to decide and build the security level / strategy that fit your needs. It seems you can go Flatpak, SELinux but only if you want.

I was kind of lurking for an equivalent of SecureBlue in the Arch world, meaning an Arch derived distro with a strong security posture. Allowing me to get started without worrying too much about it.

replies(1): >>45248760 #
1. Galanwe ◴[15 Sep 25 12:15 UTC] No.45248760[source]
At the end of the day, you do you, but my experience with SElinux is that using it on the desktop is vastly overkill.

At a high level, the essence of SElinux is to limit the possibilities of exploitation and escalation by carefully specifying which process can access which resources in which context. Now that makes sense for a server opened to the www, or a host shared with untrusted users. But Omarchy is a _sole developer_ focused flavor of Arch Linux, think your typical dev laptop. There's no service exposed there, you most likely can't even listen on the internet behind your typical home router. The realistic threats that you face is your laptop being stolen (which is why LUKS is a default) or your laptop sitting unlocked (which is why hypridle & hyprlock are a default).

Of course there's always the tails of a compromised software, but it's much more unlikely.