"Offline OS" Linux distro - is there any?

[RoGeorge]

Many times I only need an offline PC, talking only inside its 100% trusted LAN, never connected to Internet (or to any other unknown components) and never updated or upgraded, with all the hardware features enabled by default (i.e. do not disable speculative execution, whether or not that would be a possible security exploit).

Is there such a distro, optimized for best performance in a 100% trusted and offline LAN?

[rjp]

Id use a minimal debian install for that.
Their is no special thing to do, or special distro, just go small and simple.

[retiredfeline]

You can just take any distro and not give it a gateway route to the Internet, and disable updates so that you don't get complaints.

[Marco]

Lots of things are still improving, like say NVMe support and the code hacks to protect against all the sidechannel attacks are so standard no one is probably even testing without them any more.

So no, such a thing essentially doesn't exist.

[peteru]

If you are willing to be connected online to build the system and then move it off-line for the rest of it's life, then Gentoo can be customised fairly well.

If you need more control than that, you can use OpenEmbedded / Yocto to roll your own. (Warning, steep learning curve.)

[nctnico]

If you are willing to be connected online to build the system and then move it off-line for the rest of it's life, then Gentoo can be customised fairly well.

You can also create minimalistic Debian installs. This website has some info on how to do that + scripts to create a minimal Debian install: https://variwiki.com/index.php?title=Debian_Build_Release&release=RELEASE_BUSTER_V1.2_VAR-SOM-MX8

If you need more control than that, you can use OpenEmbedded / Yocto to roll your own. (Warning, steep learning curve.)

Buildroot / Openembedded are outdated nowadays. Memory has become so cheap that having a super minimalistic Linux environment is not worth the hassle.

[DiTBho]

Debian minimal.

[MrMobodies]

I have found this one from Oracle:
https://yum.oracle.com/oracle-linux-isos.html

Also one of them, the 6.10 release includes Gnome 2.2 which seems like they are still maintaining.

See pictures:

I think that might be Firefox 78 in the screenshot below, updated in February this year but when I initially tried to install it directly from Firefox website it wouldn't run but it worked with the one from Oracle so it looks they are not the same and made some alterations for it to work.

[Whales]

What's your use case software-wise?  Do you want to download a whole mirror's worth of packages first to give you options later, or would this be way too much?  What one person wants for "offline" is different to what another person wants: technically a single-floppy distro with no packages (like tomsrtbt) would match what you are asking for.

N.B. Many/most of the CPU & RAM vulnerability mitigations from the past few years can be turned off by adding mitigations=off to your kernel command line at boot.

[RoGeorge]

Typical use cases will be install once and use that forever, in total isolation, without any software changes.  For example, take an old PC and dedicate it as photo player from CDs only, or reuse old hardware for a local automation loop + video surveillance/wildlife/timelapse where I took the whole disk inside once a year or so, if it were to save the captured data.

Also curious to run a few benchmarks, just to find out how much performance is wasted by security patches.

Many/most of the CPU & RAM vulnerability mitigations from the past few years can be turned off by adding mitigations=off to your kernel command line at boot.

I didn't know that, will try, thank you.   

[Ed.Kloonk]

What about a live instance?

[Whales]

Typical use cases will be install once and use that forever, in total isolation, without any software changes.  For example, take an old PC and dedicate it as photo player from CDs only, or reuse old hardware for a local automation loop + video surveillance/wildlife/timelapse where I took the whole disk inside once a year or so, if it were to save the captured data.

If you want interactive use (ie human at the keyboard): I can't see much that will go too far wrong with any OS, even Windows.  Nonetheless hedge your bets and keep backups of the system (eg a spare disk sitting atop the machine with a clone of its contents).

It sounds like you're more after non-interactive use (ie handy humans not available with chewing gum to fix things).  For this I seriously recommend go for a distro that starts with little.  Eg Alpine, Void.  The less the computer has to do the less that can go wrong.  Distros like Debian and Ubuntu pile on a lot of daemons & complex management/supervision services.

Alpine has a useful feature called lbu that keeps all root disk changes only in RAM until you commit them.  The wiki page for it is overly complicated, really all you have to know is 'lbu diff', 'lbu add' and 'lbu commit'.  If the system borks itself: rebooting at basically any time is very safe, because it will be returned to a known-good condition.  I have this setup for some long-term raspberry pi logging projects; the log data itself is kept on a different/normal partition (ie outside the reach of lbu).

Stick to ext4 for your filesystems.  It has the most amount of amount of human effort put into the testing & automatic recovery tools.

Looking long-long term (towards year 2030+): make sure you're using a distro that builds all packages with 64-bit timestamp code.  Otherwise seconds run out at 2038 (and some calculations involving time break before 2038)

On that note: expect your clocks to drift!  A few seconds per day (~20ppm?) is pretty normal, this can add up to minutes per month.    "Normally" an NTP daemon synchs your clocks over the internet.

Also curious to run a few benchmarks, just to find out how much performance is wasted by security patches.

Phoronix is a good site to read up on the performance effects of various Linux kernel changes.  Eg:

https://www.phoronix.com/scan.php?page=article&item=3900x-9900k-mitigations&num=1
https://www.phoronix.com/scan.php?page=article&item=tiger-lake-mitigations&num=1
https://www.phoronix.com/scan.php?page=news_item&px=Xeon-ICL-Mitigation-Toggle

[PKTKS]

Several folks (me included)  have already been there !!!!! 

In the early days of "LINUX" there were just about half dozen distros.

DEBIAN - REDHAT and Slackware  were the most usable reliable
and  best options...

But !!! Things changed a lot - for some 2 reasons mostly:
= Commercial Linux targeted distros
= Subverted and corrupted *NIX principles to promote fragmentation
and  misuse of the *NIX code base mostly by MS and their BORG culture.

That said it is easy to understand bizarre things like SYSTEMD and that
crappy changes in the code base - subverting GNU tools like autoconf
with meson (capable or running under VisualShitStudio) and promoting
crappy things like Wayland to deprecate Xorg.

** YOUR QUESTION SHOULD BE RE-FORMULATED **

HOW TO GET CONTROL OF MY SYSTEM BACK  

Answer is simple:
- Get rid of SYSTEMD in the very first place.
- No distro using SYSTEMD will never ever put you in control
- Solutions based on "no LAN interface" no GATEWAY will not do that
- UEFI systems can BOOT ANY CRAP using HTTP

So Debian RedHat and BANANA BUNTUS will no longer do that
for us..  For that reason I have ditched them all by 2000s

Your own compiled distro is the answer.. not for newbies...

Several options available... which will vary from
doing yourself a minimal 100% trusted one
or just getting binaries ...

• https://t2sde.org/handbook/html/t2-book.html
• https://www.linuxfromscratch.org/index.html
• https://www.devuan.org/os/packages
• https://artixlinux.org/index.php
• http://www.slackware.com/changelog/current.php?cpu=x86_64

ALL SYSTEMD 100% FREE and offering choices with different
expertise degree levels..

I have made more than a dozen mines... 

SYSTEMD  shit already flushed in the latrine since day one

ALAS.. POTTERIX and MS jerk assholes should go to HELL.. 

Paul 

[golden_labels]

If it’s not going to have internet connectivity and stay at the same version forever, with the same software set installed: use any distribution you already know. Preferrably those which have nothing internet-connecting enabled by default — to avoid log spam. But otherwise: what would be the difference between them?

However, the important question is: is that for your private, home use or for commercial purposes? If the former, fine. If the latter: there is no such thing as “100% secure LAN”. It doesn’t matter it has no internet connection. It doesn’t matter if a vulnerability can be found or even theoretized now: experience shows there likely will be and there is no way you could prevent it.

[GlennSprigg]

When ever i see replies from 'PKTKS', I know that the O.P. is going to see about 25 rants, 15 company/product put-downs
and quite a bit of bad language!!       I take it that he may 'know' a fair bit of stuff, on many levels...  but I can't help feeling
that many O.P.'s not so 'conversant', would feel scared off at times, and not want to ask anything again!   
Just take it easy... stick to a simple friendly answer... and smile in life.  Peace Man !!   

[PKTKS]

nah..   you are  mistaken  a real HATE nourish
after 20/30 years dealing with MS crock of shit...

with simple RANTS...

RANT is for chicks and juveniles ..

I have 30y of  properly nourish HATE...   
and prejudice caused by those jerks..

Paul

[GlennSprigg]

nah..   you are  mistaken  a real HATE nourish
after 20/30 years dealing with MS crock of shit...

with simple RANTS...

RANT is for chicks and juveniles ..

I have 30y of  properly nourish HATE...   
and prejudice caused by those jerks..

Paul

Hmmm...  I always hear what you say... but I only question the 'purpose' behind the 'narrative' mate.
As I said, it is obvious that you may 'know a lot!', and gratis to you for being in such a position...
But you seem to have no compassion/understanding of the sort of 'people' who frequent such Forums/Topics...
They, (we), are here because they want to know more, granted, and even 'you' may not know it all, but it's the way you come
across, sorry mate...  We are Human Beings, and as such, make mistakes in both our thoughts and our actions. That's why we
appear here, and at times appear 'Dumb', but sincerely like to hear from people that can/may help them with their queries... 

I often feel/agree that in so many circumstances, "Why don't you just Google it" !!  But people like to hear from other 'Humans'
about their experiences & ideas...  However, they don't want to feel 'belittled' or 'put-down'...
I know from 1st hand experience in 'Life' in general, that it would be nice to share knowledge & help, but we can DO that in SO
many ways!!  'MY' life is virtually always based on prior learning experiences, and respect. And I remember the actual 'People'
who had contributed to such memories, and made me the Man I am today...  Just answer people's questions... without contempt.

I've said it before, but I'll say it again...  I'm also a Musician, (a guitarist, an old 'folkie'), and the 'sharing' of Musical knowledge is as
much the same as what his 'Forum' is about...

" May you walk, back down the mountain,
  and teach those with Leaden-ed feet,
  to fly"

When you understand that, and live by it, there is no ambiguity in life...