Try invoking ujust distrobox-assemble first. This command is also found on the FAQ page. Enter the container created through this method.

FYI, the userns images have been (or are about to be) deprecated.

Under the USERNS caption of the FAQ , there's a link to another entry. In there, you may find the following command: ujust toggle-container-domain-userns-creation. After invoking this, distrobox should at least start working.

Do you use GNOME?

Yes, I do! I personally prefer GNOME over other DEs anyways, so I'm absolutely fine with that.

They disable GNOME extensions. Did you turn it back on?

They disable the installation of GNOME extensions by users. But, system-wide GNOME extensions are enabled by default. So, GNOME extensions that are found in Fedora's repositories can be installed right out of the box. Thankfully, all my extension needs are taken care of within the extensions found in Fedora's repositories. So, this doesn't constitute a limitation for me. Curiously, I've actually installed extensions through this method ever since I recognized how the other way wasn't remotely as secure. So this (relatively recent) change by secureblue to enforce it upon everyone (at least by default) came as a pleasant surprise.

Did you re-enable XWayland?

Nope. I initially had troubles with playing games through Wine. But I've learned how to use gamescope for that instead. Currently, I'm honestly unaware of anything I'd need XWayland for. Wayland development has definitely come a long way. And while I'm sure some systems and/or workflows don't play nice with it yet, for myself (pure) Wayland is all I need.

Do you use bubblejail?

Currently, I don't think I've got any use for it:

• The only layered packages are the aforementioned GNOME extensions. I'm unaware if bubblejail can be used to sandbox these. But I'll look into it. Thanks for bringing this up!
• My GUI apps are taken care of by Flatpak. Which, AFAIK, utilizes bubblewrap already for its sandboxing.
• My CLI apps are taken care of by Linuxbrew. Perhaps these can be sandboxed using bubblejail, but I wouldn't even know. Thanks for reminding me of this (potential) blindspot!

Also, I’ve heard about the dev(s) and community being a bit toxic, or at least not being a pleasure to collaborate with. But I can’t verify that.

FWIW, this hasn't been my own experience. If anything, it may give of some "know-better"-vibes like one might recognize from engaging with some of GrapheneOS' community members.

Does anybody in this sub using Fedora Secureblue?

I do. And have done so for almost a year now.

What is your opinion?

It's pretty neat. Though, don't expect to roll your way in without any troubles if you don't take the effort to read its documentation. Fedora Atomic already does things its own way. However, secureblue, by virtue of its superior security standard, adds its own set of 'rules' that one should abide. Personally, I absolutely love how this is enforced. But I can understand why it might be a bit overwhelming for those new on the block. But I have personally helped introduce relative newbs to secureblue and they managed (with some help). So you should be fine; their community on Discord also has been pretty helpful in my experience.

So, if your first priority for your desktop operating system is for it to be Linux-based and your second priority is that it's properly hardened, then you simply can't go wrong with secureblue.

I was about to write a long piece comparing different security-focused systems, but I retracted for the sake of brevity. Please feel free to ask a specific comparison if you will.

Sorry for late response.

Also didn’t know about secureblue

Yup. It's a relatively new project and doesn't try to be very newbie-friendly. Hence, will not be talked about commonly in threads. Rightfully so, as I'd argue exquisitely hardened systems simply have to prefer security over convenience.

But it's definitely neat and had its fair share of users. As the folks over at GrapheneOS and Privacy Guides seem to be enthusiastic on it, I wouldn't be surprised if it receives a new influx/stream of users once community members of GOS have launched a dedicated website on it (which is already in the works) and the peeps responsible for PG's recommendations have finally included secureblue as their de facto Linux recommendation.

hopefully it can all work together

So do I 😊!

Thank you for the chitchat! I wish you the best!

That sounds a bit funny, when those technologies are just (despite me not liking to use this term) inferior

Perhaps I should have worded that better 😅. It was meant as a textbook example of status quo bias; anything found by default on a 'product' that's deliberately opinionated will see its audience gravitate towards said defaults. Even if those defaults are inferior to other options.

So, in this case, uBlue initially had a script within ujust (or just) that installed the Nix package manager. It wasn't necessarily the perfect fit, but it definitely had its use cases:

• Installation of CLI software was better handled by Nix than the alternatives (read: either Toolbx/Distrobox or layering with rpm-ostree)
• Flatpak was even more restricted than today. So Nix offered an additional avenue for installing GUI software without layering.
• The nixpkgs repository supersedes even Fedora's own repositories in terms of available packages, effectively making it their atomic AUR.

But then, not long after the troubling conflicts between Nix and SELinux, brew was inaugurated as the de facto alternative for CLI and the rest is history.

in terms of packaging, only flatpak really shines because of its embedded permission model

Yup, can't agree more.

Yeah, I think you should at least give it a shot and see how you like it, it’s not as easy right out of the box as the other 2 you mentioned, of course, so you should find out for yourself what you feel more comfortable using.

FWIW, I have actually used Nix sparingly in the past. IIRC, it broke on me at some point 😅. That could be on me, though. Unfortunately, I don't recall the details. It could also be related to the hardening found on secureblue.

lol. I initially had a better written reply that I was about to send, but I clicked on cancel instead of reply. RIP.

First of all, thank you for sharing your own experiences!

Secondly, in short, looking at the discord servers that are related to the uBlue project, general folk seem to have moved past Nix and use flatpak and brew instead for GUI and CLI respectively. Though, some community members happily report to be content with Nix. So, perhaps I shouldn't be necessarily opposed to home-manager.

Finally, I didn't expect to find a crossover between brew and chezmoi to effectively become a quasi-home-manager.

Honestly, you could be absolutely right. I haven't revisited Nix since Bazzite Buzz #12 informed us on the following:

"The Nix ujust script has also been removed due to conflicts with SELinux policies. Users can still install the Nix package manager manually if they so desire at their own risk."

However, the above could be outdated; I simply don't know. Are you aware of any developments that have changed things for the better?

So, the basic premise of the impermanence module is to flush all state on (re)boot. By default, NixOS is already capable of rebuilding your entire system from the config file(s). The impermanence module simply aids in achieving the desired system workflow for no state without reinventing the wheel. In effect, It's as if you've just done a reinstall and setup everything as you like. But you get to experience this on every reboot. For someone that's perpetually disturbed by state, which has been the case since my Windows-days*, this would finally grant me a peace of mind that I've been yearning for years. So, to answer your question, it would help me get (at least one step) closer to stateless Fedora Atomic without giving up general usability.

You would have been right if the entire filesystem were to be immutable. However, for Fedora Atomic, /var and /etc are writable. Thankfully so, as most people wouldn't want a totally locked down operating system. Heck, no general-purpose distro (or OS otherwise) tries to achieve that level of immutability by default.