{{Header}}
{{Title|title=
Security Operating System Comparison - {{project_name_short}} vs Debian
}}
{{#seo:
|description=Comparison of {{project_name_long}} with Debian. About security, privacy, usability and hardening-by-default.
|image=Balance-154516-640.png
}}
{{tech_intro_mininav}}
[[File:Balance-154516-640.png|thumb]]
{{intro|
This page contains a detailed comparison of {{project_name_short}} and Debian regarding security hardening, privacy defaults and usability.
}}
= Introduction =
This wiki page compares the security‑focused, hardened defaults of {{project_name_short}} against upstream Debian.
= Security Hardening by Default =
'''Table:''' ''Security Hardening Features''
{| class="wikitable"
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[sysmaint|user‑sysmaint‑split]]
| Separate daily and admin accounts by default
| {{Yes}}
| {{No}}
|-
| Improved protection from [[Backdoor#Firmware_Trojan|firmware trojan]]s (a type of [[malware]] / [[Backdoor#Hardware_Backdoor|hardware backdoor]]) and rootkits
| Due to above.
| {{Yes}}
| {{No}}
|-
| Holistic administrative ("[[root]]") account protection
|
* [[Dev/Strong_Linux_User_Account_Isolation#Root_Account_Locked|Root Account Locked]]
* [[Dev/Strong_Linux_User_Account_Isolation#su_restrictions|su restrictions]]
* Protection from [[Dev/Strong_Linux_User_Account_Isolation#sudo_password_sniffing|sudo password sniffing]]
* [[Root#Rationale_for_Protecting_the_Root_Account|Rationale for Protecting the Root Account]]
| {{Yes}}
| {{No}}
|-
| [[SUID Disabler and Permission Hardener]]
| Improves security by disabling SUID binaries, tightening file permissions, and enhancing user account isolation to reduce potential attack surfaces.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation|Strong Linux User Account Isolation]]
| Enforces strict separation between user accounts with protections against privilege escalation, password sniffing, cross-account access, and brute-force attacks.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir|libpam-tmpdir]]
| Make symlink attacks and other /tmp based attacks harder or impossible.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#Permission_Lockdown|Permission Lockdown]]
| Permission Lockdown enforces strong user separation by restricting access to other users’ home directories using strict file permissions.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#umask_hardening|umask hardening]]
| Restrictive umask to tighten file system permissions for newly created files.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown|Console Lockdown]] / [[Dev/Strong_Linux_User_Account_Isolation#.2Fetc.2Fsecuretty|/etc/securetty]] hardening
| Console lockdown reduces the attack surface for console based attacks.
| {{Yes}}
| {{No}}
|-
| [[Dev/Strong_Linux_User_Account_Isolation#Bruteforcing_Linux_Account_Passwords_Protection|Bruteforcing Linux Account Passwords Protection]]
| [[Dev/Strong_Linux_User_Account_Isolation#Online_Password_Cracking_Restrictions|Online Password Cracking Restrictions]] / [[Dev/Strong_Linux_User_Account_Isolation#sudo_restrictions|sudo restrictions]]
| {{Yes}}
| {{No}}
|-
| Default package selection
| Only minimal, no exim/samba/cups by default
| {{Yes}} [See also: [[About#Default security software|Default package selection]]]
| {{No}}
|-
| {{Anchor|torified_updates}}Torified APT upgrades
| APT upgrades run over Tor by default
| {{Yes}} [[[About#torified_updates|See Torified Updates]]]
| {{No}}
|-
| Secure APT sources
| HTTPS APT sources enabled by default
| {{Yes}}
| {{BlueBackground}} Depends. [See footnote: [[About#Secure_Package_Sources_Configuration]].]
|-
| [https://github.com/{{project_name_short}}/tirdad TCP ISN randomization (tirdad)]
| TCP Initial Sequence Numbers Randomization: mitigates TCP ISN-based CPU information leakage; see footnote. [
]The Linux kernel has a side-channel information leak bug. It is leaked in any outgoing traffic. This can allow side-channel attacks because sensitive information about a system's CPU activity is leaked. It may prove very dangerous for long-running cryptographic operations. Research has demonstrated that it can be used for de-anonymization of location-hidden services.
| {{Yes}}
| {{No}}
|-
| Strong Entropy Generation
| Ensures secure cryptographic operations by providing high-quality randomness. See also [[Dev/Entropy]].
| {{Yes}}
| {{No}}
|-
| [https://github.com/{{project_name_short}}/security-misc security‑misc]
| Kernel hardening, entropy, mount/options, brute‑force protection
| {{Yes}}
| {{No}}
|-
| Secure network time synchronization / Protection from [[Time Attacks]]
| Uses authenticated web‑date protocol / [[Sdwdate#Sdwdate_vs_NTP|sdwdate versus NTP]]
| {{Yes}} ([[sdwdate]])
| {{No}} (NTP)
|-
| [https://github.com/{{project_name_short}}/open-link-confirmation open‑link-confirmation]
| This is enabled by default and prevents links from being unintentionally opened in supported browsers.
| {{Yes}}
| {{No}}
|-
| No open server ports by default
| All unsolicited incoming connections are blocked
| {{Yes}}
| {{No}} [
[[Debian_Tips#Open_Ports|Debian Open Ports]]
]
|-
| [[Full Disk Encryption|{{Fde}}]]
| Enabled by default in installer
| {{Yes}}
| {{BlueBackground}} Depends
|-
| [[Protection_Against_Physical_Attacks|Protection against Physical Attacks]] Audit
| [[systemcheck]]
| {{Yes}} ([[Systemcheck#Physical_Security_Check|Physical Security Check]])
| {{No}}
|-
| [[Recovery#Recovery_Mode|Recovery Mode Lockdown]]
| Disabled Recovery Mode by default.
| {{Yes}}
| {{No}}
|-
| Protects its in-house source code from malicious [[unicode]]
| [https://trojansource.codes/ Some Vulnerabilities are Invisible. Rather than inserting logical bugs, adversaries can attack the encoding of source code files to inject vulnerabilities. These adversarial encodings produce no visual artifacts.]
| {{Yes}} [
* https://github.com/Kicksecure/developer-meta-files/blob/master/usr/bin/dm-check-unicode
* https://forums.whonix.org/t/detecting-malicious-unicode-in-source-code-and-pull-requests/13754/29
]
| {{No}} [
* [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014029 invisible malicious unicode in source code - detection and prevention]
* Most other Linux distributions do not seem to have this issue on the radar either.
]
|-
| [[Trust#canary|Warrant canary]]
| Public statement confirming no secret warrants or gag orders have been served on the project, helping maintain user trust.
| {{Yes}}
| {{No}}
|-
|}
malware analysis / backdoor hunting possible
= Security Tools =
'''Table:''' ''Security Tools''
{| class="wikitable"
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[Protection_Against_Physical_Attacks#grub-pwchange|grub-pwchange]]
| grub-pwchange is a GRUB bootloader password management tool for setting a [[Protection_Against_Physical_Attacks#Bootloader_Password|Bootloader Password]].
| {{Yes}}
| {{No}}
|-
| [[Unicode#Searching_Files_and_Folders_for_Unicode|Searching Files and Folders for Unicode]] tools pre-installed
| [[Unicode#grep-find-unicode-wrapper|grep-find-unicode-wrapper]] and [[unicode-show]] pre-installed
| {{Yes}}
| {{No}}
|-
|}
= Usability =
'''Table:''' ''Usability and Convenience''
{| class="wikitable"
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| [[Live Mode]]
| Easily activated from the boot menu, Live Mode discards all data after shutdown, leaving no trace of the session.
| {{Yes}}
| {{No}}
|-
| Calamares installer with improved UX
| Graphical installer offering a user-friendly installation experience with fewer steps and clearer options.
| {{Yes}} [Debian Live uses Calamares; regular D-I does not]
| {{No}}
|-
| Functional APT sources list
| Pre-configured and working APT sources to ensure package updates and installations function out of the box.
| {{Yes}} [Debian default APT source may be broken or incomplete; see [[Debian Tips]]]
| {{No}}
|-
| sudo pre‑configured
| sudo is ready to use without additional setup, allowing safe privilege escalation by default.
| {{Yes}} [See [[Root#Root_Account_Management|Root Account Management]]]
| {{BlueBackground}} Depends.
|-
| bash‑completion, zsh shell
| Command-line enhancements like tab completion and Zsh shell for improved terminal usability.
| {{Yes}}
| {{No}}
|-
| [https://github.com/{{project_name_short}}/vm-config-dist vm-config-dist], [https://github.com/{{project_name_short}}/usability-misc usability‑misc]
| Includes a wide set of usability improvements tailored for virtual machines and privacy-focused workflows.
| {{Yes}}
| {{No}}
|-
| Popular apps pre‑installed
| Frequently used applications are pre-installed with secure defaults for convenience and security.
| {{Yes}} [[Software|with secure defaults]]
| {{No}}
|-
| [[chmod-calc]] pre-installed
| Comprehensive File and Directory Inspection Tool
| {{Yes}}
| {{No}}
|-
|}
= General =
'''Table:''' ''General Comparison''
{| class="wikitable" style="text-align: center;"
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| Open Source distribution
| Freely available source code and licensed under open-source terms.
| {{Yes}}
| {{Yes}}
|-
| Based on Debian
| Built directly on top of Debian for compatibility, stability, and maintainability.
| {{Yes}} ([[Based_on_Debian|Kicksecure is based on Debian]])
| {{BlueBackground}} N/A
|-
| High quality packaging distribution
| Ensures software is secure, reproducible, license-compliant, and well-integrated into the distribution through auditing, patching, and enforcing technical and legal standards. See [[Dev/About_Debian_Packaging#Purpose_of_Packaging|Purpose of Packaging]].
| {{Yes}}
| {{Yes}}
|-
| Based on Linux
| Built on the reliable, secure, and freedom-respecting Linux operating system to leverage its open-source foundation.
| {{Yes}}
| {{Yes}}
|-
| Pre‑installed security tools
| Comes with hardened tools and services for security, privacy, and anonymity.
| [[AppArmor]], [[sdwdate]], [https://github.com/{{project_name_short}}/tirdad tirdad], [https://github.com/{{project_name_short}}/security-misc security-misc]
| Minimal (optional install)
|-
| Secure defaults (network, packages, accounts)
| Defaults favor security: no open ports, limited user privileges, hardened configurations.
| {{Yes}}
| {{No}}
|-
| Target audience
| Designed for users needing strong security and privacy protections.
| Seeking strong defense
| General-purpose users, servers, desktops
|-
| [[About#Implementation_of_the_Securing_Debian_Manual|Implementation of the Securing Debian Manual]]
| Applies relevant recommendations from Debian’s official security manual by default, adapting and modernizing where necessary.
| {{Yes}}
| {{No}}
|-
| Onion service version of website
| Provides a more secure, end-to-end encrypted connection that bypasses traditional DNS and avoids reliance on certificate authorities.
| {{Yes}}
| {{Yes}}
|-
| Comprehensive security [[Documentation]]
| In-depth guides and resources to help users understand, implement, and maintain strong security practices.
| {{Yes}} ([[System_Hardening_Checklist|System Hardening Checklist]])
| {{No}}
|-
| Signed downloads
| All downloads are cryptographically signed, allowing users to verify the authenticity and integrity of releases.
| {{Yes}}
| {{Yes}}
|-
|}
= Freedom and Transparency =
'''Table:''' ''Freedom and Transparency''
{| class="wikitable"
|-
! Feature
! Description
! {{project_name_short}}
! Debian
|-
| Open Source
| Users have the right to inspect, modify, and share the entire source code, promoting collective security and privacy benefits.
| {{Yes}}
| {{Yes}}
|-
| Freedom Software
| Includes software that adheres to Free Software Foundation (FSF) approved licenses.
| {{Yes}}
| {{Yes}}
|-
| Research and Implementation Project
| Maintained as a transparent and ongoing security-focused project with public visibility of issues and continual improvement.
| {{Yes}}
| {{No}}
|-
| Fully Auditable
| All software is open for inspection and verification by independent developers and researchers worldwide.
| {{Yes}}
| {{Yes}}
|-
| Complete respect for privacy and user freedom
| No user tracking, no advertising integrations, and no personal data harvesting.
| {{Yes}}
| {{Yes}}
|-
|}
user freedom restrictions auch as refusal of administrative rights
tivoization
obey user settings value and development goal
= See Also =
* [[About#Hardening_by_Default|Hardening by Default]]
* [[About#Kicksecure_Development_Goals|Kicksecure Development Goals]]
* [[Full Disk Encryption]]
* [[sysmaint]]
* [[Debian Tips]]
= Footnotes =
[[Category:Documentation]]
{{Footer}}