• 1 Post
  • 37 Comments
Joined 1 month ago
cake
Cake day: December 19th, 2024

help-circle
  • what does the community think of it?

    It’s important to note how the Linux community interacts with change. In the past, whenever a change has been significant enough to influence individual workflows, it often provoked strong reactions. This was evident when systemd was introduced and adopted by distros like Arch and Debian. Even though systemd was arguably superior in essential aspects for most users, it failed to meet the needs of at least a vocal minority. Consequently, community endeavors were set up to enable the use of Debian or Arch without systemd.

    Similarly, the introduction of immutable distributions seems to upset some people, though (at least to me) it’s unjustified. Immutable distributions don’t necessarily alter the traditional model. For instance, the existence of Fedora Silverblue doesn’t impose changes on traditional Fedora; let alone Arch or Debian.

    But, overall, most Linux users aren’t bothered by it. Though, they often don’t see a use for themselves. Personally, I attribute this at least in part to existing misconceptions and misinformation on the subject matter. Though, still, a minority[1] (at best ~10%) actually prefers and uses ‘immutable’ distros.

    Do the downsides outweigh the benefits or vice versa?

    Depends entirely on what you want out of your system. For me, they absolutely do. But it’s important to note that the most important thing they impose on the user is the paradigm shift that comes with going ‘immutable’. And this is actually what traditional Linux users are most bothered by. But if you’re unfamiliar with Linux conventions, then you probably won’t even notice.

    As a side note, it’s perhaps important to note that the similarities between traditional distros are greater than the similarities between immutable distros. Also, Fedora Atomic is much more like traditional Fedora than it is similar to, say, openSUSE Aeon or Vanilla OS. Grouping them together as if they are a cohesive group with very similar attributes is misleading. Of course, they share a few traits, but overall, the differences are far more pronounced.

    Therefore, it is a false dichotomy to simply label them as traditional distros versus immutable distros. Beyond these names, which we have assigned to them, these labels don’t actually adequately explain how these systems work, how they interact, how their immutability is achieved (if at all), what underlying technologies they use, or how they manage user interactions. The implications of the above. Etc.

    Could this help Linux reach more mainstream audiences?

    The success of the Steam Deck and its SteamOS are the most striking and clear proof of this. So, yes. Absolutely.


    1. Not accounting SteamOS users.

  • Nixos tends to lean on the term reproducible instead of immutable, because you can have settings (e.g files in /etc & ~/.config) changed outside of nix’s purview, it just won’t be reproducible and may be overwritten by nix.

    Interesting. If possible, could you more explicitly draw comparisons on how this isn’t quite the same over on say Fedora Atomic? Like, sure changes of /etc are (at least by default) being kept track of. But you indeed can change it. libostree doesn’t even care what you do in your home folder. Thus, changes to e.g. ~/.config (and everything else in /var[1]) are kept nowhere else by default.


    1. Which happens to be more crowded than on other distros as folders like /opt are actually found here as well.


  • Thank you for chiming in and providing your thoughts!

    While we’re at it, I absolutely appreciate your work. Wonderful stuff! Thank you from the bottom of my heart!

    UKI is something we very much want to do in the future, but it’s a long-term goal

    That’s lovely to hear!

    As far as replacing the init system, I think even in traditional Fedora that would be extremely challenging, but it could probably be done as a custom image.

    Aight. I’ll change the list then. Thank you for enlightening me on this. The feasibility as a custom image is really encouraging; perhaps I’ll give it a go 😜.


  • Bazzite seemed much closer to being truely immutable

    If you meant that it’s even harder to tinker/change/configure etc compared to SteamOS, then I’d like to inform you that this is false. Fedora Atomic, and thus Bazzite, facilitates quite a lot actually. Of course, it’s not as moldable as say Arch or Gentoo. To illustrate this, I won’t bother you with all the things it can do. Because that would take a while. Instead, I’ll only focus on the things it actually can not do. On the top of my head, the following comes to mind:

    • Rip systemd out and replace it with another init, but I’m unaware if traditional Fedora even facilitates this to begin with. Bazzite’s founder came by and corrected me on this. Even this is probably possible as a custom image.
    • UKI
    • Setup systemd-boot (or any other bootloader) instead of GRUB
    • Kmods can be hit or miss; what’s found here is accessible. What remains can be very finicky.
    • 3rd party repositories can be hit or miss; for example, both Terra and Tailscale work, but e.g. ProtonVPN may not.



  • Since you seem to know a lot about it let me ask you a couple of things:

    😅. I’ll try my best 😜.

    Bazzite is immutable, right? I’m sure I saw that somewhere and Fedora Atomic is also immutable IIRC

    It is correct that the contents of / is immutable at runtime aside from /var and /etc. However, note that a lot of folders like /home and /opt are actually found in /var in response. This is later ‘fixed’ with symlinks and whatnot. In effect, only the contents of /usr (aside from /usr/share) is off-limits (or ‘actual’[1] immutable).

    How does the config changes not get overwritten?

    I believe my previous paragraph already answers this. But, to be even more elaborate, Fedora Atomic makes use of libostree (read: git for your OS). With this, only the pristine images are ‘swapped’ in-between updates (or rebases[2]). Your changes to the system are found in /var, /etc and in so-called ‘layers’ only and are not swapped out. Some of these changes are kept track of[3], but most of them reside in /var and will not be touched by libostree.

    The whole point of an immutable distro is to prevent changes to files to ensure things keep working

    Kinda. The important part is that changes are prevented for the sake of a functioning system. But the entire system doesn’t have to be locked down in order to achieve this. This does mean that it’s actually not that hard to break your system. Just rm -rf /etc and your system will probably fail to boot into the very next deployment. But, as Fedora Atomic keeps at least two deployments, you will still be able to access the previous deployment in which you tried to delete /etc. So you’re protected from accidental mishaps as long as you’ve got at least one working deployment. Thankfully, you can even pin working deployments with the ostree admin pin command. And…, just like that, the distro has basically become dummy-proof. I’m sure it’s still possible to break the system, but you’d actually have to try 😉.

    So, in short, Fedora Atomic definitely intends to be a more robust system and succeeds. But, it does so while giving the user agency (and some responsibility).

    How are packages installed?

    I think everything of importance is mentioned in the docs. What is it exactly you want to know?

    The docs you sent recommend flatpak, which while very good in theory still has a small fleet of apps available.

    But that’s just the first of seven “package formats” listed in the docs 😜. The other six will assure that your remaining needs are fulfilled.

    Also they suggest using distrobox among other things, that’s definitely not beginner friendly, although an interesting concept for an advanced user to have your main machine be an immutable host to any system you want.

    This is obviously anecdotal, but Fedora Silverblue was the first distro that I used. I was a complete Linux newb. My coding background was also just a Python-course on Uni. But, somehow, in the very newbie-hostile environment back then (read: April 2022), I managed with Toolbx. So…, yeah…, I can’t relate. Sorry*. You might be absolutely correct. But, as I said, I don’t recognize this from my own experience. I wish I had a video-tutorial back then, though. Honestly, with the amount of hand-holding Bazzite and its docs provide, I believe a newbie should be absolutely fine.


    1. It is even possible to overwrite this. Both in containerfile (requires creating own image) and on device (very hacky, not recommended).

    2. Rebasing is the process by which a different image is selected to boot and run your system from. For example, with this, one can switch from Silverblue (GNOME) to Kinoite (KDE) without reinstallation. This can even be used to switch from a Fedora image to a Aurora/Bazzite/Bluefin/secureblue image.

    3. These include the software you’ve installed through rpm-ostree (or soon dnf). We call these layered packages, based on the analogy that the packages aren’t part of the image but are magically tacked on without you noticing anything finicky. It’s quite magical. Besides that, any and all changes made to /etc are also kept track of. The former you can see by invoking rpm-ostree status, the latter by invoking ostree admin config-diff.


  • Ah, I get what you mean now by inflammatory statements

    Actually, it wasn’t me that said that 😅. I do find it in jrgd’s reply, though.

    Though interestingly, I didn’t feel my comment was very inflammatory and it got downvoted too. 😅

    For the record, I also didn’t downvote your comment 😜. Though, looking at how well-received my previous reply has been, I can’t ignore the possibility that peeps that agreed with what I said also chose to downvote your comment.

    I was looking at it more from just a standpoint of systemd itself

    Sorry, I don’t think I completely understood you here.

    just looking at it from the standpoint that fedora and rhel can tend to be industry leaders for change.

    I absolutely agree with you that Fedora and Red Hat are very effective agents of change. So yes, if they would get behind an alternative for systemd, then that would definitely get traction.

    if RHEL and Ubuntu together made

    Has something like this ever happened in the past? I can’t recollect a collaboration of sorts between these two entities. If anything, they seem to be at odds with eachother: Mir vs Wayland, Snap vs Flatpak and even Upstart vs systemd. Though, at least so far, Red Hat holds an impressive winning track record.

    I think we would see that move downstream.

    Absolutely. But, and this is my inner-systemd-skeptic talking, systemd is ridiculously intertwined with the current Linux landscape and often times new updates even show a glimpse of how much more intermingling we’ll get in the future. I hope we’ll eventually get something to systemd like what PipeWire has been to PulseAudio. That’s why development into alternatives like dinit and s6 is of utmost importance.

    As far as my use of the term bloated, I’m looking at it strictly from a standpoint for the amount of code that goes into the system.

    Suckless it is 😜. It’s a fine definition. Thank you for that. But, I got to ask, where is the line drawn? Like, the Linux kernel, by virtue of being monolithic, has to be bloated as well. Right? So, if that’s the case, is somehow the kernel’s bloat okay while bloat is unaccepted for the system and service manager? If so, why? I’m genuinely curious.

    The more code you have, the more entries for security risks.

    Sure~ish. Deep discussion. I’m fine with giving this to ya.

    I’m not saying that there’s anything that’s particularly better out there right now

    I suppose some peeps will enjoy themselves with what’s out there. Do you happen to use an alternative on a daily-basis?

    but I think we should always be looking for alternatives regardless of what your views are for the people that created the code. KISS philosophy, basically. That and being open to change to avoid stagnation.

    Wholeheartedly agree 😊.


  • Isn’t Bazzite an immutable OS with very limited package availability outside of gaming?

    Nope. It’s basically Fedora Atomic with a lot of special sauce to make onboarding as pleasant as possible. Especially if you want to use it for gaming; be it as a HTPC/console or on desktop. Thus, like Fedora Atomic, you’ve got access to many different package managers to get your needs covered. Heck, Bazzite and its uBlue siblings actually improve upon Fedora Atomic in this regard (at least by default). Refer to this entry in its documentation for the finer details.

    but I’m not sure it would be a good experience for someone just getting into Linux, since most of the help he will get online

    We’ve all been faulty of this (read: searching on the internet), but we should instead consolidate Bazzite’s documentation first. Only after it isn’t found there, should one consider going to their discussion platforms; be it their own forums or their Discord server. Searching on the internet is IMO a no-go, especially if one isn’t well-versed yet.

    will direct him to edit config files which would get overwritten on update.

    This doesn’t apply to Fedora Atomic. Perhaps you’re conflating this with SteamOS.






  • I didn’t downvote myself, but did consider it.

    For one, it felt a bit out of place; Fedora isn’t defined by systemd, nor Red Hat or IBM. One clear example would be how Fedora has chosen to stick with Btrfs; contrary to Red Hat’s demands. Don’t get me wrong, I don’t deny any partnership or whatsoever. But it’s not like Fedora’s community has no agency.

    Secondly, corsicanguppy’s comment seems to imply that Fedora only sticks to systemd out of some obligation towards IBM/RedHat or something. As if the overwhelming majority of distros don’t default to systemd.

    Thirdly, Poettering works for M$ now. Sure. But systemd remains a Linux project. And quite a good one at that. Even if the likes of dinit and s6 are starting to offer some healthy competition, it’s undeniable that systemd continues to have the advantage in terms of received man-hours (in development) and adoption. I hope that Fedora eventually gives others the chance to shine. But outright ditching systemd without a perfect replacement is just foolish.

    Systemd is bloated

    The bloat argument has absolutely no weight as long it’s not properly defined. One’s bloat is the other’s sane default and vice versa. Please, if you’re engaging in good faith, come up with a definition by which the likes of dinit and/or s6 are not bloated while systemd is. Please be complete and rigorous in your assessment.

    and known to present security risks.

    If you’re referring to what’s addressed in Madaidan’s article, you should not forget that Whonix -the very distro Madaidan used to be a security researcher at- employed systemd to enhance security. And while one might say a lot about Poettering, one simply can’t deny that they’ve got a sound understanding of good security standards and how to implement them. It’s therefore unsurprising that both Kicksecure and secureblue (i.e. Linux’ finest when it comes to hardened distros) heavily rely on systemd for their bidding.

    Don’t see why looking at alternatives wouldn’t be seen as positive growth.

    At least we can agree on this 😉.





  • Thanks a ton for the elaborate answer!

    I’ve moved to cachy OS mainly because I needed to get certain things working that were only packaged in appimage

    Hmm…, I’m aware that the AppImage situation is pretty dire since it requires FUSE 2 libs while everyone and their grandmothers have moved to FUSE 3; software that’s been almost out for a decade now. Thankfully, I’ve never actually experienced trouble getting it to work on any distro. Sure, installing some libs was often required, but nothing too fancy.

    BUT I believe I could have worked it out in Aeon by fiddling around with distrobox

    FWIW, I’m 100% positive that you could get it to work on Aeon. IIRC, I’ve also used AppImages through distrobox containers.

    I think once there is a mature wayland-based Openbox replacement

    Interesting. If it isn’t too much of a trouble, could you pitch Openbox :P for me? I’m not too familiar with it, but you did get me curious.

    (eyes on labwc)

    Put into my backlog of stuff I’ve got to checkout.


  • I was hoping that this reply wasn’t needed 😅. In all fairness, some of the replies found on ycombinator definitely offer legitimate criticism. However, secureblue’s dev team didn’t just ignore all of that as they can be found discussing on the very same thread. Since then, they’ve actually implemented changes addressing these concerns. For example:

    Trading off possible kernel bugs against letting a whole LOT of userspace software run with real root privilege. And flatpak is a lot of attack surface no matter how you run it, and the packages have a bad security reputation.

    This was raised as a good objection to some of its design choices. This eventually lead secureblue’s dev team to maintain twice as many images for the sake of offering images in which this was handled differently. And it didn’t stop there, it has continued to output a lot of work addressing concerns both found on that thread and outside of it. Consider looking into its commit history. Heck, even some of the GrapheneOS-people have provided feedback on the project.

    Of course, no one dares to claim it comes close to Qubes OS’ security model. Nor is this within scope of the project. However, apart from that, I fail to name anything that’s better. Kicksecure is cool, but they’ve deprecated Hardened Malloc; a security feature found on GrapheneOS and that has been heavily inspired by OpenBSD’s malloc design. By contrast, secureblue hasn’t abandoned it. Heck, it elevated its use by allowing it to be used with Flatpak; something that hasn’t been done on any other distro yet. This is just one example in which the secureblue dev team and its various contributors have shown to be very competent when it comes to implementing changes that improve security beyond trivial checkboxes.

    Peeps may name other hardening projects. But fact of the matter is that I’m unaware of another hardened Linux project that’s quite as feature-rich:

    • Tails; cool project that does wonderful work against protecting one against forensics. But that’s literally it. It’s not even meant as a daily driver.
    • Whonix; developed somewhat together with Kicksecure, so this one actually has put in substantial work into hardening. But, again, not meant to be used as a daily driver.
    • Nix-mineral; cool project, but it’s still alpha software by its own admission.
    • Spectrum OS; great idea, but it’s not even out yet.

    Please feel free to inform me if I’ve forgotten anything. So, basically, if you want a hardened daily driver for general computing, then one simply has to choose between Kicksecure and secureblue. I wish for both projects to flourish, but I’ve stuck with the latter for now.