{{Header}}
{{Title|title=
Security Operating System Comparison - {{project_name_short}} vs Debian
}}
{{#seo:
|description=Comparison of {{project_name_long}} with Debian. About security, privacy, usability and hardening-by-default.
|image=Balance-154516-640.png
}}
{{tech_intro_mininav}}
[[File:Balance-154516-640.png|thumb]]
{{intro|
This page contains a detailed comparison of {{project_name_short}} and Debian regarding security hardening, privacy defaults and usability.
}}
= Introduction =
This wiki page compares the security‑focused, hardened defaults of {{project_name_short}} against upstream Debian.

= Security Hardening by Default =

'''Table:''' ''Security Hardening Features''

{| class="wikitable"
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

| [[sysmaint|<code>user‑sysmaint‑split</code>]]
| Separate daily and admin accounts by default
| {{Yes}}
| {{No}}
|-

| Improved protection from [[Backdoor#Firmware_Trojan|firmware trojan]]s (a type of [[malware]] / [[Backdoor#Hardware_Backdoor|hardware backdoor]]) and rootkits
| Due to above.
| {{Yes}}
| {{No}}
|-

| Holistic administrative ("[[root]]") account protection
|
* [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]]
* [[Dev/Strong_Linux_User_Account_Isolation#su_restrictions|su restrictions]]
* Protection from [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]]
* [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]]
| {{Yes}}
| {{No}}
|-

| [[SUID Disabler and Permission Hardener]]
| Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces.
| {{Yes}}
| {{No}}
|-

| [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
| Enforces strict separation between user accounts with protections against privilege escalation, password sniffing, cross-account access, and brute-force attacks.
| {{Yes}}
| {{No}}
|-

| [[Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir|libpam-tmpdir]]
| Make symlink attacks and other /tmp based attacks harder or impossible.
| {{Yes}}
| {{No}}
|-

| [[Dev/Strong_Linux_User_Account_Isolation#Permission_Lockdown|Permission Lockdown]]
| Permission Lockdown enforces strong user separation by restricting access to other users’ home directories using strict file permissions.
| {{Yes}}
| {{No}}
|-

| [[Dev/Strong_Linux_User_Account_Isolation#umask_hardening|umask hardening]]
| Restrictive <code>umask</code> to tighten file system permissions for newly created files.
| {{Yes}}
| {{No}}
|-

| [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] / [[Dev/Strong_Linux_User_Account_Isolation#.2Fetc.2Fsecuretty|/etc/securetty]] hardening
| Console lockdown reduces the attack surface for console based attacks.
| {{Yes}}
| {{No}}
|-

| [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_Account_Passwords_Protection|Bruteforcing Linux Account Passwords Protection]]
| [[Dev/Strong_Linux_User_Account_Isolation#Online_Password_Cracking_Restrictions|Online Password Cracking Restrictions]] / [[Dev/Strong_Linux_User_Account_Isolation#sudo_restrictions|sudo restrictions]]
| {{Yes}}
| {{No}}
|-

| Default package selection
| Only minimal, no exim/samba/cups by default
| {{Yes}} <ref>See also: [[About#Default security software|Default package selection]]</ref>
| {{No}}
|-

| {{Anchor|torified_updates}}Torified APT upgrades
| APT upgrades run over Tor by default
| {{Yes}} <ref>[[About#torified_updates|See Torified Updates]]</ref>
| {{No}}
|-

| Secure APT sources
| HTTPS APT sources enabled by default
| {{Yes}}
| {{BlueBackground}} Depends. <ref>See footnote: [[About#Secure_Package_Sources_Configuration]].</ref>
|-

| [https://github.com/{{project_name_short}}/tirdad TCP ISN randomization (tirdad)]
| TCP Initial Sequence Numbers Randomization: mitigates TCP ISN-based CPU information leakage; see footnote. <ref>
<blockquote>The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.</blockquote>
</ref>
| {{Yes}}
| {{No}}
|-

| Strong Entropy Generation
| Ensures secure cryptographic operations by providing high-quality randomness. See also [[Dev/Entropy]].
| {{Yes}}
| {{No}}
|-

| [https://github.com/{{project_name_short}}/security-misc <code>security‑misc</code>]
| Kernel hardening, entropy, mount/options, brute‑force protection
| {{Yes}}
| {{No}}
|-

| Secure network time synchronization / Protection from [[Time Attacks]]
| Uses authenticated web‑date protocol / [[Sdwdate#Sdwdate_vs_NTP|sdwdate versus NTP]]
| {{Yes}} ([[sdwdate]])
| {{No}} (NTP)
|-

| [https://github.com/{{project_name_short}}/open-link-confirmation open‑link-confirmation]
| This is enabled by default and prevents links from being unintentionally opened in supported browsers.
| {{Yes}}
| {{No}}
|-

| No open server ports by default
| All unsolicited incoming connections are blocked
| {{Yes}}
| {{No}} <ref>
[[Debian_Tips#Open_Ports|Debian Open Ports]]
</ref>
|-

| [[Full Disk Encryption|{{Fde}}]]
| Enabled by default in installer
| {{Yes}}
| {{BlueBackground}} Depends
|-

| [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] Audit
| [[systemcheck]]
| {{Yes}} ([[Systemcheck#Physical_Security_Check|Physical Security Check]])
| {{No}}
|-

| [[Recovery#Recovery_Mode|Recovery Mode Lockdown]]
| Disabled Recovery Mode by default.
| {{Yes}}
| {{No}}
|-

| Protects its in-house source code from malicious [[unicode]]
| [https://trojansource.codes/ Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.]
| {{Yes}} <ref>
* https://github.com/Kicksecure/developer-meta-files/blob/master/usr/bin/dm-check-unicode
* https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754/29
</ref>
| {{No}} <ref>
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014029 invisible malicious unicode in source code - detection and prevention]
* Most other Linux distributions do not seem to have this issue on the radar either.
</ref>
|-

| [[Trust#canary|Warrant canary]]
| Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust.
| {{Yes}}
| {{No}}
|-

|}

malware analysis / backdoor hunting possible

= Security Tools =
'''Table:''' ''Security Tools''

{| class="wikitable"
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

| [[Protection_Against_Physical_Attacks#grub-pwchange|grub-pwchange]]
| <code>grub-pwchange</code> is a GRUB bootloader password management tool for setting a [[Protection_Against_Physical_Attacks#Bootloader_Password|Bootloader Password]].
| {{Yes}}
| {{No}}
|-

| [[Unicode#Searching_Files_and_Folders_for_Unicode|Searching Files and Folders for Unicode]] tools pre-installed
| [[Unicode#grep-find-unicode-wrapper|grep-find-unicode-wrapper]] and [[unicode-show]] pre-installed
| {{Yes}}
| {{No}}
|-

|}

= Usability =

'''Table:''' ''Usability and Convenience''

{| class="wikitable"
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

| [[Live Mode]]
| Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session.
| {{Yes}}
| {{No}}
|-

| Calamares installer with improved UX
| Graphical installer offering a user-friendly installation experience with fewer steps and clearer options.
| {{Yes}} <ref>Debian Live uses Calamares; regular D-I does not</ref>
| {{No}}
|-

| Functional APT sources list
| Pre-configured and working APT sources to ensure package updates and installations function out of the box.
| {{Yes}} <ref>Debian default APT source may be broken or incomplete; see [[Debian Tips]]</ref>
| {{No}}
|-

| sudo pre‑configured
| sudo is ready to use without additional setup, allowing safe privilege escalation by default.
| {{Yes}} <ref>See [[Root#Root_Account_Management|Root Account Management]]</ref>
| {{BlueBackground}} Depends.
|-

| bash‑completion, zsh shell
| Command-line enhancements like tab completion and Zsh shell for improved terminal usability.
| {{Yes}}
| {{No}}
|-

| [https://github.com/{{project_name_short}}/vm-config-dist vm-config-dist], [https://github.com/{{project_name_short}}/usability-misc usability‑misc]
| Includes a wide set of usability improvements tailored for virtual machines and privacy-focused workflows.
| {{Yes}}
| {{No}}
|-

| Popular apps pre‑installed
| Frequently used applications are pre-installed with secure defaults for convenience and security.
| {{Yes}} [[Software|with secure defaults]]
| {{No}}
|-

| [[chmod-calc]] pre-installed
| Comprehensive File and Directory Inspection Tool
| {{Yes}}
| {{No}}
|-

|}

= General =

'''Table:''' ''General Comparison''

{| class="wikitable" style="text-align: center;"
|-

! Feature
! Description
! {{project_name_short}}
! Debian
|-

| Open Source distribution
| Freely available source code and licensed under open-source terms.
| {{Yes}}
| {{Yes}}
|-

| Based on Debian
| Built directly on top of Debian for compatibility, stability, and maintainability.
| {{Yes}} ([[Based_on_Debian|Kicksecure is based on Debian]])
| {{BlueBackground}} N/A
|-

| High quality packaging distribution
| Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See [[Dev/About_Debian_Packaging#Purpose_of_Packaging|Purpose of Packaging]].
| {{Yes}}
| {{Yes}}
|-

| Based on Linux
| Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation.
| {{Yes}}
| {{Yes}}
|-

| Pre‑installed security tools
| Comes with hardened tools and services for security, privacy, and anonymity.
| [[AppArmor]], [[sdwdate]], [https://github.com/{{project_name_short}}/tirdad tirdad], [https://github.com/{{project_name_short}}/security-misc security-misc]
| Minimal (optional install)
|-

| Secure defaults (network, packages, accounts)
| Defaults favor security: no open ports, limited user privileges, hardened configurations.
| {{Yes}}
| {{No}}
|-

| Target audience
| Designed for users needing strong security and privacy protections.
| Seeking strong defense
| General-purpose users, servers, desktops
|-

| [[About#Implementation_of_the_Securing_Debian_Manual|Implementation of the Securing Debian Manual]]
| Applies relevant recommendations from Debian’s official security manual by default, adapting and modernizing where necessary.
| {{Yes}}
| {{No}}
|-

| Onion service version of website
| Provides a more secure, end-to-end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities.
| {{Yes}}
| {{Yes}}
|-

| Comprehensive security [[Documentation]]
| In-depth guides and resources to help users understand, implement, and maintain strong security practices.
| {{Yes}} ([[System_Hardening_Checklist|System Hardening Checklist]])
| {{No}}
|-

| Signed downloads
| All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases.
| {{Yes}}
| {{Yes}}
|-

|}

= Freedom and Transparency =

'''Table:''' ''Freedom and Transparency''

{| class="wikitable"
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-

| Open Source
| Users have the right to inspect, modify, and share the entire source code, promoting collective security and privacy benefits.
| {{Yes}}
| {{Yes}}
|-

| Freedom Software
| Includes software that adheres to Free Software Foundation (FSF) approved licenses.
| {{Yes}}
| {{Yes}}
|-

| Research and Implementation Project
| Maintained as a transparent and ongoing security-focused project with public visibility of issues and continual improvement.
| {{Yes}}
| {{No}}
|-

| Fully Auditable
| All software is open for inspection and verification by independent developers and researchers worldwide.
| {{Yes}}
| {{Yes}}
|-

| Complete respect for privacy and user freedom
| No user tracking, no advertising integrations, and no personal data harvesting.
| {{Yes}}
| {{Yes}}
|-

|}

= See Also =

* [[About#Hardening_by_Default|Hardening by Default]]
* [[About#Kicksecure_Development_Goals|Kicksecure Development Goals]]
* [[Full Disk Encryption]]
* [[sysmaint]]
* [[Debian Tips]]

= Footnotes =
<references />
[[Category:Documentation]]
{{Footer}}

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.