Software recommendations
Posted:
Updated:
Overview
This post lists software I recommend for various use cases. Idea blatantly stolen from geck.
| OS family | OS | Explanation |
|---|---|---|
| Linux | NixOS | Currently my main operating system. Its main features are declarative system configuration and generational deployment. This not only makes it extremely robust, but it also makes it very easy to copy configurations between devices or restore them after a reinstallation. You can find my NixOS configuration on my Codeberg. |
| Secureblue | Hardened Fedora Atomic images. One of the best choices for a (relatively) secure Linux desktop and built upon a robust Fedora Atomic base. | |
| Arch Linux | Flexible DIY distro. While I generally prefer NixOS, I’ve enough experience with Arch to recommend it to those who don’t want to learn NixOS’s ins and outs. | |
| GrapheneOS | Hardened Android derivative. The best option for mobile devices. | |
| Windows | Windows 11 IoT LTSC | The only somewhat usable version of Windows. I avoid using Windows when I can because I don’t particularly like it. Good luck trying to get your hands on a copy, though; the education edition is probably good enough if you can’t. |
| OS | Browser | Explanation |
|---|---|---|
| Fedora | Hardened Chromium | The name is self-explanatory. Uses a set of custom patches as well as patches from GrapheneOS’s Vanadium to reduce the attack surface and increase the security of the standard Fedora Chromium package. |
| Other desktop Linux | Chromium Flatpak | Most other distros do not compile Chromium correctly by introducing lots of downstream patches that weaken security, compiling debug builds instead of production builds, or dynamically linking Chromium to unhardened system libraries and thereby severely weakening control flow integrity (CFI). The Chromium Flatpak mitigates some of this by replacing Chromium’s built-in sandboxing with Flatpak’s sandboxing. |
| GrapheneOS | Vanadium | Hardened Chromium-based browser for GrapheneOS. |
| Other Android | Cromite | Chromium-based Android browser with some privacy enhancements. |
| Windows | Microsoft Edge | Edge’s strict enhanced security mode disables just-in-time (JIT) compilation for all sites, massively reducing the attack vector of V8, Chromium’s JavaScript engine. However, the addition of the DrumBrake WebAssembly (WASM) interpreter allows you to still use WASM with enhanced security enabled. This mode also enables use of advanced Windows security features such as Control Flow Guard and Arbitrary Code Guard. Finally, by using Edge, you avoid trusting an extra party by installing a different browser, as you’re already trusting Microsoft by using Windows. |
| Mozilla Firefox | If you really don’t like the idea of using Edge, the most secure version of Firefox is the Windows one. Make sure to check out my Arkenfox guide to get the most out of Firefox! |
Generally avoid Firefox Mobile and its derivatives as it is missing important security features such as site isolation.
With the exception of Edge on Windows, generally avoid proprietary Chromium-based desktop browsers such as Opera or Vivaldi as they generally provide nothing security-wise over Chromium/Edge while adding attack surface, extra parties you’re required to trust, and tracking.
| Extension | Explanation |
|---|---|
| uBlock Origin Lite | Efficient general-purpose content blocker. Stick to its default filter lists to avoid standing out and prevent the possibility of a malicious filter rule being added; prefer Lite on Chromium-based browsers so that you can completely avoid Manifest V2, improving security. |
| uBlock Origin |
First rule of browser extensions: less is more. Install as few extensions as possible; the more you have installed, the greater your attack surface and the more you stand out. I personally only have a single extension, Bitwarden password manager, and if Bitwarden Desktop for Linux ever gains the ability to handle passkey requests from the browser I may consider ditching even that. I use AdGuard’s public DNS servers to provide ad blocking so that I don’t need to install uBlock Origin.
| Category | App | Explanation |
|---|---|---|
| Text editor/ IDE | Neovim | Modern Vim fork with native Lua support. Fast and simple. I personally use a LazyVim-based configuration. |
| Emacs | Extensible GUI and TUI text editor. Emacs can do anything. personally use a Doom Emacs-based configuration. | |
| VSCodium | Builds of Code OSS with Microsoft telemetry removed. The most beginner-friendly of these options. | |
| Notes | Org mode | Major mode and plain-text file format for Emacs. Similar to Markdown in many ways but a bit more flexible. |
| Obsidian | Markdown-based note-taking app with a bunch of fancy features. If Obsidian was open-source it would be top 3 software. | |
| Music player | Strawberry | Cross-platform open-source Qt-based music player. The default icons are a bit ugly but this can mostly be mitigated on Linux by turning on “system icons”. Strawberry fulfills my two requirements for a music player–Last.fm integration using the newer OAuth API (as opposed to plain-text username and password) and album-order preserving shuffle (e.g. in a playlist of mixed singles and albums, it will shuffle the playlist order but play albums in the original list order)–and is the only Linux music player I’ve found that does so. |
| foobar2000 | Customizable freeware music player for Windows and macOS. The only other music player I know of that fulfills the two above requirements. If foobar2000 was open-source it would be top 3 software. | |
| RSS reader | RSS Guard | Cross-platform open-source Qt-based RSS reader. Extremely featureful and looks really nice with a good Qt theme. |
| App | Explanation |
|---|---|
| Aegis Authenticator | Open-source multi-factor authenticator. Allows exports and setting a vault password. |
| Aves | Open-source photo gallery. |
| Signal | Private and secure open-source instant messenger. Often considered the gold-standard of encrypted real-time communication. |
| KDE Connect | Easily connect your desktop or laptop to your mobile devices. Very useful for sharing notifications and files between devices. |