The State of Schleswig-Holstein Is Consistently Relying on Open Source
Key topics
As Schleswig-Holstein ditches Microsoft for open-source solutions, commenters weigh in on the strategic benefits and bureaucratic hurdles of such a move. Some argue that switching to Linux is crucial for national sovereignty, citing concerns over industrial espionage and sabotage, while others point out that entrenched bureaucracies can stifle innovation and make it difficult to capitalize on the flexibility of open-source software. A lively debate ensues, with some sharing personal anecdotes about navigating the complexities of in-house software management and others highlighting the potential for cost savings and increased control through centralized package management. The discussion highlights the complexities of large-scale software adoption and the trade-offs between security, flexibility, and bureaucratic red tape.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
27m
Peak period
141
0-12h
Avg / period
26.7
Based on 160 loaded comments
Key moments
- 01Story posted
Dec 7, 2025 at 8:21 AM EST
26 days ago
Step 01 - 02First comment
Dec 7, 2025 at 8:48 AM EST
27m after posting
Step 02 - 03Peak activity
141 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 13, 2025 at 9:56 AM EST
20 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Imagine how Open Source Software could improve if a consortium of nations put their money and resources into commissioning bug fixes and enhancements, which would be of collective benefit.
Apart from a few niche cases, the needs of most government bureaucracies would be well served by currently available OSS word processing, spreadsheet, presentation and graphics software.
There are also practical advantages: the ability to fix a bug in-house instead of waiting for a technology giant from another continent.
Yes, but bureaucracies make this impossible. If you have worked at a bank before, you'll know how difficult it is to make a change to some in-house piece of software. And that's a bank, not a gov't institution. Think how much more friction there will be in the latter.
If all the software one institution uses comes in the form of proprietary binaries, there is simply no need to even think about making policies about fixing those systems in-house.
Once that’s in place, the process for populating that repository can easily adopt locally modified versions of upstream software: defaults changed, bugs removed, features added, etc.
No one in a big business/government blinks at changing group policies for internal deployment. Changing the code is really very little different once the ability to do so is internalized.
Good: I already wrote a script to fix the exact same issue.
Bad: It was in a pile of old stuff from 10+ years ago.
Good: It worked anyway.
Bad: The bank still has the same bug.
Here's an article from the same newspaper that showed up to me as "related" when browsing TFA:
https://www.heise.de/en/news/Criminal-Court-Microsoft-s-emai...
germans have been quite riled up by US escapades
I think everyone agrees the costs are high, especially beyond monetary ones, but this stance on avoiding these costs is slowly pushing everyone into finding out how expensive is not having sovereignty.
Through its tech industry the US has over time acquired too much power over critical digital infrastructure that has already compromised governments. We know of Presidents/PMs/Legislators spied upon through their phones and computers, and also Microsoft itself involved in revoking email access to the ICC's chief prosecutor as retaliation/defense against investigations.
Sovereignty is too important for government, and since everyone needs to do it and get security right going for open-source with funded development and constant auditing is in my mind the only way.
Where did you see flashy UIs? Modern UIs are boring flat geometric monochrome shit and Microsoft is one of the worst there.
Not to mention companies who moved on to Google Docs or the web version of Office. Or companies who moved to MacOS 15-10 years ago.
In my state back home the entire workforce moved to LibreOffice and, according to my sister (a government worker), everyone is doing fine.
This hypothetical problem of "needs training" only seems to exist when you mention the words "open source".
What happens when major OSS projects are controlled by the governments themselves? Will David still beat Goliath?
I feel that you wrote some words that only seem to make sense if we don't think about them too much.
Could the government also dictate the operating system and software people use to make sure it is the state sponsored one? If I’m not mistaken some similar actions have happened in N Korea and China.
I’m not saying this is an inevitable outcome, but just trying to think of worst case scenarios. A lot of terrible things have started with good intentions.
That’s not far from how it is right now in OSS, even without governments in the chain. For example: how the xz back door was found: https://en.wikipedia.org/wiki/XZ_Utils_backdoor
Now a lot of people would be angry if my state decided to spend money on security flaws. I imagine an elected representative try to explain how they wanted to misspend funds allocated to improve software and plant flaws instead. That would not go down well here or in Germany. Try to hire people for this in Germany and see how long you last till your little op is public.
A government can control a piece of open source software the same way a big tech company does - with economies of scale. In other words, by throwing more money, resources, and warm bodies at their open source projects than anybody else.
The code itself might be under an open license, but project governance is free to remain self-interested and ignorant of the needs of the "community."
Any pull request accepted from outside isn't a mutual exchange of developer labor for the benefit of all, but the company successfully tricking an outside developer into doing free work for them.
Any pull request that runs counter to the interests of the company can and will be ignored or rejected, no matter how much effort was put into it or how much it would benefit other users.
Any hostile forks are going to be playing a catch-up game, as community efforts cannot outpace the resources of most large companies.
(Gentle reminder to subscribe to donate to a FOSS project or two that you use.)
Because in my experience, the projects that I can think of that switch to open core are those that are started by smaller businesses when a large multinational tech company starts to mess with their revenue streams.
In that case, I don't fault them in the slightest. As a matter of fact, I think these days it's now a sucker's bet to build a company around an open source product. Free software? Maybe. Source available or open core from the start? Possibly. A fully permissive license that in the outside chance my product is successful, suddenly puts me in competition with Amazon and Microsoft, so they can kill my business with my own software? Forget about it.
I think the main reason they do that is because AGPL is a turnoff for a noticeable chunk of corporate users, and you do want those users. Dual licensing should work here in theory, and does work in practice for some – no idea why we don’t see it more often. (I have a project-not-quite-startup-anymore [1] under AGPL, but I do keep around a CLA for outside contributors just in case.)
[1]: https://lunni.dev/
It’s been widely speculated that there are gentleman’s agreements where strategic bugs do not get fixed. To apple’s credit, unlike say BlackBerry, they designed iMessage where many of the intercept methods are tamper evident.
Where does this kind of conspiracy thinking come from?
Simple business incentives will tell you this is extremely, incredibly unlikely.
Microsoft is a for-profit corporation. If it ever used such a switch, customers would never trust it again, and its global sales would plummet. It would be corporate suicide.
In fact, such a "switch" is the kind of thing a corporation would make sure they didn't have, precisely so some future US administration could never pressure them into using it. Microsoft is a global corporation that doesn't want the US interfering with its money-making.
Indeed, the entire point of the big cloud companies offering "sovereign" clouds in Europe is precisely to guarantee to customers that the US government can't order them to do anything about them, because of the way the legal control structures are set up.
then https://news.ycombinator.com/item?id=45837342 - ICC ditches Microsoft 365 for openDesk
Microsoft pledged not to intervene like that again, reclassifying its legal interpretation of its own services, and added language to its contracts to guarantee that it would fight future US attempts to do so:
https://www.politico.eu/article/microsoft-did-not-cut-servic...
When the US manages to force Microsoft to do something, it responds by trying to protect itself from the same scenario in the future. Because it wants profits. The ICC leaving Microsoft is the last thing Microsoft wanted.
Actually there is, that's what the entire point of the sovereign clouds are. They reside physically in Europe, with legal control by Europeans, and European employees that can't be bossed around by the US. If the US orders Amazon to retrieve data from S3 servers located in a European sovereign cloud, Amazon employees in the US don't have the technical capability to do so, and the European data center employees are legally bound not to.
Employees have bosses and those bosses have bosses, and those bosses have bosses in the US. If not direct bosses, then at least people higher up in the context of all of Microsoft, who can pull strings, criticize them, categorize them as unreliable, and make their life hard, or even bring into motion that they are made to give up their position or are let go. Most people don't want a hard life at the job and be bullied. It is likely, that people joining Microsoft don't have the strongest moral compass anyway, so them sticking their neck out for European data protection, and losing what comfy life they have, including probably exceptional ...
Company politics are not to be underestimated. The question becomes who selects and vetoes higher ups in those sovereign clouds.
European governments cannot trust US companies, even when they have inner-EU parts, because influence from the US cannot be rules out.
"Microsoft admits it 'cannot guarantee' data sovereignty: Under oath in French Senate, exec says it would be compelled – however unlikely – to pass local customer info to US admin"
> Where does this kind of conspiracy thinking come from?
Now you say
> Microsoft pledged not to intervene like that again
You are full of it
Not appropriate for HN:
https://news.ycombinator.com/newsguidelines.html
People don't want political interference between countries to happen again and you're calling it "conspiracy thinking".
The snark of the above poster is the least problematic thing here.
So in light of that actual evidence, yes I am calling it conspiracy thinking to suggest that Microsoft has built in some kind of kill switch to make it easier for the government to do things that are against its corporate interest. Because that's literally what it is -- imagining some kind of conspiracy where Microsoft wants to help the US government, instead of its own bottom line.
Explain to me what's problematic about that?
IMO that's what we should be better than.
And I get what you're arguing for, I just don't see it as plausible or realistic.
Meanwhile, OP asserted they are "sure" Microsoft could do it at the "flick of a switch". Under orders from the US government.
That's absurd. If that's not conspiracy thinking, I don't know what is. A literal conspiracy between the two entities. When something is actually conspiracy thinking, you're allowed to label it as such, you know? You're trying to police ideas here, and that's entirely inappropriate. Be better.
https://www.heise.de/en/news/How-a-French-judge-was-digitall...
and it can demand access do data:
https://www.theregister.com/2025/07/25/microsoft_admits_it_c...
No, they are doing what they can to convince customers that they are trying to protect themselves against government actions.
In fact its all smoke and mirrors. See the second link. AWS have admitted that the Cloud Act does allow the US government to compel access to French data.
The news in your jurisdiction might not cover these matters
https://www.breakingnews.ie/world/trump-sanctions-on-interna...
https://news.ycombinator.com/item?id=46182023
Also, how about less snark about the "news in my jurisdiction"? Since the first amendment provides more press freedoms than many European countries have.
wait until they found out that there is no "customer service" in OSS, sometimes the project is fine but people need "someone" to be held accountable in some ways
that's why a lot of OSS project never take flight
But the OS is not where Microsofts power lies. Its in exchange (almost everywhere cloud managed, including for many governments) and SharePoint, with a small amount of teams, where Microsoft is truly a scary prospect for sovereignty.
I can't log on to a windows computer if the cloud account don't exist? What if there's no internet?
There are some unofficial hacks to bypass the online account requirement, but MS have been actively stamping these out. Now the current situation isn't like it's impossible to bypass this, mind you (as far as I'm aware there's at least a couple of workarounds), but normal users won't know/care and will end up just creating an online account.
Surely that is something only criminal would say.
Via updates they can install and run anything they want ... aka 'kill switch'.
The short-term fear should be in enterprise cloud (See ICC judges). The long-term pain lies in blocking security updates (As happened to Russia). One might worry about malicious updates being pushed, but the legal grounds for that are flimsy to non-existent, and Microsoft has very strong business reasons to push back. So even the trump administration would be smart enough to instead target the cloud solutions. Since the legal precedent is very clear and well lubricated "providing services to sanctioned entities", and the business impact is equally crippling.
I think governance (both public and private) would benefit from open tools to manage communities at scale via technology.
What would happen instead, and has happened in the past, is Microsoft (or juniper, etc) leaving a remote vulnerability unpatched while certain groups use that exploit. It's much more deniable. So deniable, that it's impossible to say for certain that it was intentional.
It's more practical to audit FOSS systems for bugs than a Microsoft solution, and the tools for doing so are open source and getting even better every day. Like you said, sharing the burden helps with cost: It also helps with the trust issue. Going one step further, formally verified software solutions are possible (and exist!). Good luck getting that from Microsoft, they ship a calculator that needs updates and internet access to run.
This is the business model of Quansight Labs, whose employees help maintain much of the scientific python stack. Mostly tech companies, not governments, sponsoring the work
Despite all the talk about sovereign cloud the actual governments are actually going the other way.
1. The Online Safety Act in the UK pushes people to use big tech more rather than run stuff independently - the forums that moved to social media. 2. EU regulatory requirements that help the incumbents:https://www.theregister.com/2025/10/27/cispe_eu_sovereignty_... 3. ID apps in multiple countries that require installs from Google or Apple stores, and only run on their platforms. 4. The push to cashless which means increased reliance on Visa, Mastercard, Apple and Google.
To be clear I do not not think that any of these things are in the public interest. However the government is not the public, and the public (and probably a lot of the government) has deeply ingrained learned helplessness about technology.
Linux for starters, however even that has too many US contributions.
In general, we need to go back to the cold war days, multiple OSes and programming languages governed by international standards, with local vendors.
If sovereignty is desired, it can't stop at Office packages.
Isn't the code of law the original open source, for very good reason?
As law becomes more and more enforced by software, should it not all be required to be open source?
It's not the most efficient, being effectively a webview. But its UI and compatibility is imho much better than LibreOffice.
https://www.onlyoffice.com/
I've never used anything but OpenOffice / LibreOffice for writing academic texts in the humanities and never missed anything. The "catch" whenever I tried Microsoft Word was the menu that had the most important functions (for me) hidden away much deeper than in OO and LO.
I've never been a big user of Spreadsheets but I've heard only good of Excel and trust the widespread opinion that it is unchallenged in its domain. In sociology you wouldn't use it because you've got specialized statistics software such as R and SPSS (PSPP being an attempt at an Open Source Alternative to SPSS).
Looking at administration, Excel ist probably quite important but when you get rid of it, not one but various solutions might take its place, depending on who uses it. If you want something like a browseable database in a colorful table for office clerks, LO Calc might be enough. But the things Excel gets praised for a lot (I never know what exactly people mean) would probably have to be tackled another way.
Governments going down that need to invest into finding those solutions by providing staff that is qualified to find them or even develop them. The state of Schleswig-Holstein considered in its Open Source initiative strategy that it may be challenged by a future legislation and put a focus on the reasons for acceptance of Open Source solutions. I wonder if that is put into action well to find solutions with the least "catch" that may even excel over Microsoft products depending on their context :)
I've done this several times during my career, to see if LO Calc would ever come up to the performance of Excel. To be fair, I haven't done so since I switched to Python.
Here's the experiment I would conduct. Generate a column of 5000 numbers. Now graph them. Now make a few token changes to the graph such as modifying some of the aesthetic parameters. The difference in processing time was profound, last time I tried it. Also, there was a noticeable "latency" between clicking something, and seeing something happen, that made it quite un-ergonomic if not physically painful to use. I'm sensitive to this because I get eyestrain headaches easily.
https://euro-stack.com/blog/2025/3/schleswig-holstein-open-s...
The reason I'm salty is that most linux desktop envs are unusable in their own right. I very much feel the pain of being forced to use some centrally-dictated craptastic linux GUI. I've been on Linux for 2+ decades and I hate nearly all the desktop envs. I totally feel for those blokes whose Windows UI is now being ripped from their hands. Where they'll land doesn't only suck for them (having a Windows background), it might very well suck for anyone, even those with a long Linux background.
Being stuck in legacy systems sucks, and technical people like to deny the reality of it - but it's a business reality.
Language, form, muscle memory (call it what you will) is difficult to separate from thinking and working. I'm very picky when it comes to desktop UI: I use Linux exclusively, and I can't tolerate most Linux distros' default desktop environments. Someone who's been productive for a decade or more with Windows applications -- well, to the extent we're willing to ascribe "UI stability" to those applications' own updates -- will probably hate Linux with a passion.
I don't think such a transition can be made seamless. They should have thought about becoming Microsoft's hostage two decades ago (I guess).
Yes, there is a cost to changing software. But it’s not unique to an Open Source migration.
When you migrate anyway you could choose that to use a proper database and SQL if that makes sense instead.
Excel, in particular, hasn't been unseated despite billions in investments from competitors over the years. Parity will happen someday, but it's at least a decade away.
Good lord.
Time has come. Over the last few years there is more and more interest from goverments and private organizations to have relieable software that does not depend of foreign entities. Software sovereignty is becoming a necesity rather than a nice to have for both nations and enterprises.
> Excel, in particular, hasn't been unseated despite billions in investments from competitors over the years.
Excel, like many other technologies in the past can be disrupted. Like mane other commenters say, it won't come cheap. Saving costs shouldn't be the the goal here.
> Parity will happen someday, but it's at least a decade away.
Challenge accepted!
What major commonly used features do you reckon Excel has that hasn't been implemented in LO Calc yet, that would be a deal-breaker for most businesses?
To my knowledge, Calc has implemented most of Excel's formulae (well over 500 in total count), so at least for typical spreadsheet functionality you wouldn't missing anything.
The biggest limitation I can think of is the limited support for VBA, but Microsoft have already announced VBA's deprecation[1], so no one should be relying on it even in MS World.
And whilst LO's own Basic scripting is... basic, it also supports rich scripting and full automation via Python and Javascript. It even has a full-fledged SDK for developing addins/extensions using a high-level language like C++/Java etc[2], so businesses who're dependent on some random proprietary excel COM addin or something could invest in development effort to port it over.
Heck, if businesses are so inclined, they could modify the LO source itself and build a custom version to add the features they want - that's the beauty of FOSS.
[1] https://devblogs.microsoft.com/microsoft365dev/how-to-prepar...
[2] https://api.libreoffice.org/
When Calc gets the other 90% of the features Excel has, you also need to contend with word, Outlook, Visio and all the rest that Libre Office has a 0% solution for.
I support FLOSS... But pretending that anything else does enough for many orgs is delusional. There is work and pain to get through to even have a workable solution... And it won't be as good for a long while.
Massive cost savings are one of the bigger motivators... But that will be offset by the need for more internal staff.
What's your approach to getting out of Access, Visio and Outlook integrations?
Access = LibreOffice Base
Visio = LibreOffice Impress
Outlook = Schleswig-Holstein already switched successfully to Open-Xchange and Thunderbird, I've not heard of them running into any major issues with this setup.
But if that's the case then they should either look for a different COTS solution, and/or change their business workflow.
And in the event even that is unfeasible, then just continue to keep a few windows machines (maybe convert them to VMs or VDIs for ease of maintenance) for the few users that can't be migrated.
As a sibling comment says you don't need to implement absolutely everything Excel does to _disrupt_ Excel. But you do need to provide a fantastic tool that is easy to use and solves 99% of the problems. If governments start putting their money were their mouth is I am very convinced we can create tools that supersede Excel, Word,...
[1]: https://www.collaboraonline.com/
[0]: https://en.wikipedia.org/wiki/LiMux / Discussion at https://news.ycombinator.com/item?id=15661372
So if Microsoft would have paved that way, it would have been totally worth it for the city.
- Of course, of course.
They knew: If Linux makes it in Munich, it will likely spread over and they loose tons of contracts with other German states.
Sounds like management made a decision based on ideology, and the employees suffer.
Libreoffice is junk. I, like most Fortune 500 companies, have tried converting to Star/Open/Libreoffice every few releases for 25 years now. It just isn’t functionally there, and it lacks the polish of Word 95. Somebody needs to put a lot of $$$$ into the project before it’s ready for prime time.
Given that the US has shown it's willing to wield sanctions as a blunt instrument against anyone and everyone, it's only prudent for European countries to reduce their exposure to US tech.
and that's the problem, people wouldn't invest that much into project no one use
I can't say I've ever suffered from my choices or that I missed any features. As for "polish" - that's subjective, isn't it? I can access all the features I want quickly and efficiently. It's a tool, after all.
There are some minor bugs with Calc that I'd rate 2/10 in importance - annoyances mostly. I haven't used Excel in a while, but it had annoyances, too.
But even if Microsoft Office is more polished and feature-rich, I still think that the trade-off is worth it - we get data and software sovereignty, privacy and cost savings. The workers need to relearn how to access feature X in the menu or how to live without feature Y.
You see, most Office users are not heavy/expert users and they only occasionally need the basic features that exist everywhere and do good enough of a job. I personally have only used Word maybe 3 times over the past few years, because almost all work documents live elsewhere, while Google Docs is good enough for my personal word processing needs (which could probably be done with Libreoffice as well).
Imagine every company starts to evaluate how many employees actually need Microsoft Office, and then drop licenses for those who would be ok with Libreoffice or nothing at all. Microsoft would be shitting their pants.
When I last tried in a small pilot program, it was incredibly primitive. Linux desktops were janky and manual compared to Active Directory and group policy, and an alternative to Intune/AAD didn't even seem to exist. Heck, even things like WSUS and WDS didnt seem to have an open version or only had versions that required expensive expert level SME'S to perform constant fiddling. Meanwhile the Windows tools could be managed by 20 year old admins with basic certitifcations.
Also, GRC and security seemed to be impossible back then. There was an utter lack of decent DLP tools, proper legal hold was difficult, EDR/AV solutions were primitive and the options were limited, etc.
Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.
I think everyone hates it, but they're often legally required. Even when they aren't legally required, they usually are by insurance companies.
Nobody wants to be on the news the first time Becky in Marketing opens an email attachment she shouldn't.
*EDIT* I left out one of the biggest benefits: Dummies & Newbs. The world is filled with people who have never used a mouse before they started this job Last week and people who actually NEED the stupid warning stickers on their toasters. If you don't lock down their desktops your support costs will be astronomical and downtime will be constant. We know this because there was a time before these tools, and it largely sucked for everyone.
Did you know that you can bypass the windows 98 login screen by just clicking 'Cancel' instead of 'OK' at the login prompt? Nice and simple, right? That stupid button not only wrecked security it caused 10's or 100's of thousands of hours in lost work because people forgot their passwords, clicked Cancel, and then would call the help desk wondering why network shares didnt work. It would sometimes take hours to figure that all they had to do was reset the password and login properly.
Microsoft is trash and is getting worse day by day, but at the very least it's the same trash everyone has to deal with, so people mostly got used to the smell, and you can get economies of scale in tools used to deal with said smell. MS is trash because of incompetence.
Linux is dozens of different flavors of trash, so you don't even get economies of scale dealing with it. It's trash because of ideology - the people involved would often reject the functionality you mentioned for ideological reasons, and even for those who do accept them, won't agree on the implementation meaning you now have a dozen of different flavors, and will take up arms if someone tries to unify things (just look at the reaction to systemd).
Linux works well for careers where shoveling trash is already part of your work, in which case all the effort doubles as training for the job and experience makes this a non-issue. But for non-IT careers where the computer is just a tool that is expected to work properly, it's nowhere near there, and will never get there because everyone's instead arguing on the definition of "there" and which mode of transportation to use getting there.
This is despite them being a tech company, and despite them having already invested in their single Linux flavor (gLinux). Wayland migration was also a pain.
While anyone with macOS or Windows laptops can open support tickets, the hardcore Linux users get invited to join internal forums to help themselves.
Thus naturally one needs to be really into it, especially when dealing with software that doesn't even exist.
So we get our IT supported systems and run GNU/Linux either on servers or VMs.
I sense only if there are changes imposed at governments level, would companies change their stance on this.
/usr is expected to be shared among hosts, host-specific stuff goes into /usr/local for a reason, and as a sysadmin you can decide to simply not have host specific software.
EDR/AV is basically unnecessary, when you only mount things either writable or executable. And you don't want the users to start random software or mount random USB-sticks anyway.
> Back then it was like nobody who had ever actually been a sysadmin had ever taken an honest crack at Linux and all the hype was coming from home users who had no idea what herding boxen was actually like.
Unix has over 50 years of history of being primarily managed by sysadmins instead of home users. While Linux is not Unix, it has inherited a lot. The whole system is basically designed to run a bunch of admin configured software and is actually less suitable for home users. I would say the primary problem was accessing it with a Windows mindset.
No, its not and never will be.
Even if it were technically unnecessary (in some hypothetical future where privilege escalation became impossible?), legal, compliance, and insurance requirements would still be there.
That's totally accurate, but you're missing the fact that we fundamentally don't (and can never) trust the OS or any other part of a general purpose computer.
In general purpose computing you have a version of Descartes brain in a vat problem (or maybe Plato's allegory of the cave if you want to go even further back).
https://iep.utm.edu/brain-in-a-vat-argument/
To summarize: We can't trust the inputs even if the OS is trusted, and if the OS is trusted can't trust the compiler, and even if we trust the compiler we can't trust the firmware, but even if we trust the firmware we can't trust the chips it runs on, and even if we trust those chips we can't trust the supply chain, etc. "Trust" is fundamentally unsolvable for any Turing machine, because all trust does is move the issue further down the supply chain.
I know this all sounds a bit hypothetical, but it's not. I can show you a real world example of every one of those things having been compromised in the past. When there is money or lives at stake people will find a way, and both things are definitely at stake here.
So what we have to do is trust, but verify, or at the very least log everything that happens and that's largely what those EDR products exist to do. Maybe we can't stop every attack, even in theory, but we take a crack at it and while we're at it we can log every attack to ensure that we can at least catch it later.
There just isn't any version of this world in which general purpose computers don't require monitoring, logging, and exploit prevention.
If you think the hardware works against you, then you are screwed.
It doesn't have to be "a random company". Microsoft, for example, now ships EDR as part of the operating system.
Many companies prefer other vendors for their own reasons. Sometimes one concern is the exact issue you're describing. By using another vendor outside of MS they can layer the security rather than putting all their eggs in a Microsoft designed basket. We sometimes call that a "security onion" in cyber.
I have no idea what the Linux version of that would even look like though. I imagine you'd just choose one of the many 3rd party EDR's from "random companies." It's another reason I asked the original question about how Sysadmins cope with Linux these days. MS has an entire suite of products designed to meet these security, regulatory, and compliance problems. Linux has... file permissions I guess?
If you want integrity, first make everything executable immutable, the system is explicitly designed to work that way. That's why the FHS exists for. Then use something like Tripwire to monitor it.
To log access use auditd (https://www.baeldung.com/linux/auditd-monitor-file-access).
What else do you need to do?
How though? Presumably you mean we should trust the OS to do that?
Edit to be clear auditd has the same issue. We're trusting it to audit itself. However, we know that we cant trust it. So now what?... I guess we need a tool thats designed to be tamper proof to monitor it.
If you think your OS doesn't give you the correct answer to a read, than you need to run a second OS side-by-side and compare. If you think your OS is touching data you haven't told it to, you need to have a layer running below so you can check, i.e. virtualization, BIOS or hardware. If you think your OS is making network calls you haven't told it to, then you need to connect it via an intermediate host, that acts as a firewall.
I don't see what injecting a random blob into the OS gives you other than box ticking. Now you need to trust the OS and that other thing.
When your attacker gains control of your OS (so actually below root), than you are screwed anyways. Only having some layer independently will help you in that case. Having more code in your OS, won't help you at all, it will just add more attack surface.
> How though? Presumably you mean we should trust the OS to do that?
If you don't trust the layer controlling the hardware (aka. the OS) then you need to do that in hardware.
The early Unix systems you're talking about were mainframe based. Modern client-server or p2p apps need an entirely different mindset and a different set of tools that Linux just didnt have the last time I looked.
When they audit the company for SOX , PCI-DSS, etc we can't just shrug and say "Nah, we decided we don't need that stuff." That's actually a good thing though, because if it were optional well meaning folks like you just wouldn't bother and the company would wind up on the evening news.
Maybe I am missing something, but that seems orthogonal to ensuring host integrity? I didn't argue against logging access and making things auditable, by all means do that. I argued against working against the OS.
It is not like integrity protection software doesn't exist for Linux (e.g. Tripwire), it is just different from Windows, since on Windows you have a system where the default way is to let the user control the software and install random things, and you need to patch that ability away first. On Linux software installation is typically controlled by the admin and done with a single file database (which makes it less suitable for home users), but this is exactly what you want on a admin controlled system.
Sure, computing paradigms have changed, but it is still a good idea to use OS isolation like not running programs with user rights.
Even if security were "solved" in Linux (it's not), it would still often be illegal not to have an EDR and that's probably a good thing.
Well that's my point. You don't need third-party software messing up with the OS internals, when the same thing can be provided by the OS directly. The real EDR product is the OS.
That's certainly not the default in a managed corporate environment. Even for home users, Microsoft restricts what you can install more and more.
And restrictions are not implemented via patch, but via management capabilities native to the OS, accessed via checkboxes in Group Policy.
python ~/my.py
wget | bash
Also you can't make it physically impossible for employees to not e.g. screenshot things and take them home. You can forbid it and try to enforce it, but some amount of trust is needed.
Willing action needs to be taken for what it is, an deliberate action by that user. If that user is allowed to access that data, than I don't see what is wrong with him doing that in an automated way.
Sounds good, except:
* scripting languages exist. The situation is even worse on Linux than on Windows (because of the sysadmin focus). You need at least /bin/sh installed and runnable on any POSIX system. In practice bash, python, perl and many more are also always available.
* exploits exist. Just opening a pdf file may execute arbitrary code on a machine. There is no way to avoid that by just configuring your system. And it will happen sooner or later, especially if nation states are involved.
The idea that your systems are somehow unhackable because you... mount everything W^X is... not based in reality. Of course it's a great idea, but in practice you need defense in depth, and you need to have a way to Detect and Respond to inevitable Endpoint breaches. I don't love EDR/AVs, but they mitigate real attacks happening in the real world.
https://euro-stack.com/blog/2025/3/schleswig-holstein-open-s...
I've used other things that claimed to in the past and none came anywhere close in practice. They all turned out just to be LDAP with some NT4 style policies for windows and very little at all for the Linux clients. It was like traveling back in time to the Windows 2000 era of management.
GPOs are a windows thing and don't apply to other systems. The generic equivalent is configuration management, for which there are many solutions. Linux updates are much easier than windows updates, and many linux systems now use immutable and atomic updates by default, which further reduces risk.
For directory, openLDAP just does LDAP. DNS is done with Kea or Unbound.
Fundamentally the issue is a lack of familiarity. The only way to become familiar with a system is... to use it.
I do not know. They probably evaluated the solution before they made the decision.
In any case, continuing to use AD seems out of the question. Relying on US based software in 2025 and beyond is simply not a viable option for any administration that values its sovereignty. The US isn’t even hiding its hostility.
LibreOffice works just fine on _Windows_ - and that's what the majority of its users are running.
So, Schleswig-Holstein can switch to Linux, or not switch, or let specific agencies or individuals choose.
Initiated by the city of Munich, LiMux aimed to migrate public administration systems from Windows to a Linux-based OS to increase control over IT infrastructure and reduce costs. Despite initial success (announced at LinuxTag in 2014, I was there for the announcement), the project faced intense political lobbying by Microsoft leading to a reversion to Windows.
More examples in this note: https://lab.abilian.com/Tech/Linux/Sovereign%20OS%20-%20%22E... (in particular https://lab.abilian.com/Tech/Linux/Sovereign%20OS%20-%20%22E...)
How about instead you donate the same amount of money you would've paid to Microsoft anyways to fund open source projects you rely on? At least for one year, then drop it down to some arbitrary chosen percentage of that cost. That way you can still advertise it as a cost-cutting measure, and everyone would benefit.
Given this understanding, the best away to achieve the desired outcome is to get creative about aligning incentives at the top of org structures where resources are allocated.
121 more comments available on Hacker News