344

cross-posted from: https://infosec.pub/post/15781466

Am I out of touch?

No, it's the forward-thinking generation of software engineers that want elegant, reliable, declarative systems that are wrong.

top 36 comments
sorted by: hot top controversial new old
[-] lemmyvore@feddit.nl 48 points 3 months ago

But an immutable distro is not necessarily declarative, and the other way around.

Why lump them together?

[-] F04118F@feddit.nl 14 points 3 months ago

I'm guessing this refers to the not entirely separate groups of Nix(OS), Haskell, XMonad fans

[-] 4am@lemm.ee 4 points 3 months ago

Don’t forget us Bluefin/Aurora people either

[-] orrk@lemmy.world 1 points 3 weeks ago

all 12 of us, THERE IS A DOZEN OF US! A DOZEN!

[-] marcos@lemmy.world 2 points 3 months ago

an immutable distro is not necessarily declarative

It is necessarily so. You can't configure an immutable distro by a sequence of mutations.

But yes, the other way around is quite possible.

[-] tatterdemalion@programming.dev 6 points 3 months ago

You can't configure an immutable distro by a sequence of mutations.

Isn't that literally how ostree works?

[-] areyouevenreal@lemm.ee 2 points 3 months ago

NixOS isn't immutable though. It runs on normal writable ext4 by default.

[-] lemmyvore@feddit.nl 43 points 3 months ago

Immutable was adopted for Android because Google and the Android vendors wanted to lock down the platform, and because they always distribute their OS images and updates as binary blobs.

It offers no benefits to an open ecosystem like Linux, that you can't already accomplish with existing security measures.

It offers some benefits to distro maintainers who are only willing/able to focus on the core system and delegate the rest of the software to distro-agnostic packages. That's definitely an interesting niche and I look forward to it. But please note that whether the core is immutable is completely irrelevant in this scenario.

Generally speaking, if you want to use distro-agnostic packages you can do that regardless of whether the system is immutable or not.

And since we're on the topic, if we're borrowing things from Android I would love to have the application sandboxing and permissions. I think they'd be a much bigger benefit – to all distros, immutable or not.

[-] zea_64@lemmy.blahaj.zone 12 points 3 months ago

Immutable partitions are amazing for reliability, then you can just OverlayFS your mutable state on top of it

[-] lemmyvore@feddit.nl 1 points 3 months ago

The problem with making the core immutable is that you have to decide where you draw the line between immutable and regular packages.

It sounds nice to be able to always have an immutable blob with some built-in functionality that you can fall back to, but the question is how far do you want to take that blob?

Things that go into the immutable blob don't offer much (if any) choice to the user. I can see it being used for something like the kernel and basic drivers, coreutils, basic networking. It starts getting blurry when you get to things like systemd and over-reaching when it gets to desktop functionality.

Also, you say it's more reliable but you can get bugs in anything. Version x.y.z of the kernel can have bugs whether it's distributed as part of an immutable core or as a package.

I definitely think distributing software as immutable bulk layers can be useful for certain device classes such as embedded, mobile, gaming etc. The Steam Deck for example and other devices where the vendor can predefine the partition table and just image it with a single binary blob.

On the desktop however I struggle to see what problems immutable solves that are not already solved some other way. Desktop machines require some degree of flexibility.

[-] areyouevenreal@lemm.ee 3 points 3 months ago* (last edited 3 months ago)

Also, you say it's more reliable but you can get bugs in anything. Version x.y.z of the kernel can have bugs whether it's distributed as part of an immutable core or as a package.

The whole point is you can roll back if something breaks.

It starts getting blurry when you get to things like systemd and over-reaching when it gets to desktop functionality.

Systemd is a core part of the system as init always has been.

Honestly though I don't think you actually understand the difference between declarative and immutable distros. Unlike what some people think they aren't actually the same thing. It would be nice if people stopped limping them together.

[-] zea_64@lemmy.blahaj.zone 1 points 3 months ago

Most packages are purely additive to to system. If GNOME is part of the base system, I don't care because I can just not use it. For packages that are mutually exclusive, well, usually that's the distro picking it for you anyway, but if you insist on changing them then OverlayFS lets you mask files in the base.

For something like Arch or Gentoo, the read-only partition approach absolutely won't work, but I know Fedora's been working on an OSTree immutable approach, so it's still technically a mutable partition but it's defined declaratively and is still easy to roll back.

[-] F04118F@feddit.nl 8 points 3 months ago

And since we're on the topic, if we're borrowing things from Android I would love to have the application sandboxing and permissions. I think they'd be a much bigger benefit – to all distros, immutable or not.

Flatpaks and Wayland should fill out this part nicely.

[-] michaelmrose@lemmy.world 2 points 3 months ago* (last edited 3 months ago)

This often means unofficial builds that aren't from the developer that sometimes have sandbox specific issues the devs didn't contemplate because they don't actually do flatpaks. If someday the random bob who is neither the original developer nor some trusted individual connected to the distro is hacked they may push out a malware enabled update that pwns all the people who automatically update in short order. This doesn't seem like a security increasing feature.

[-] RmDebArc_5@sh.itjust.works 7 points 3 months ago

I don’t think anyone uses immutable distros for security, the main selling point I believe is that you can rollback when the system breaks due to a update, especially when it’s a rolling release

[-] swab148@lemm.ee 8 points 3 months ago

I can do that with Timeshift on any distro

[-] zephr_c@lemm.ee 39 points 3 months ago

Look, if you love declarative systems that's cool. I'm genuinely happy for you that you have much better options now. That can only be good.

That being said, they only solve problems that I don't have. I do not care even the tiniest amount about whether a system is declarative or not, and I'm definitely not going to go out of my way to seek them out. If you want to call that "out of touch" then so be it.

[-] djsaskdja@reddthat.com 12 points 3 months ago

I just like them because my system feels “cleaner.” Always drove me nuts with Arch or Debian when you install something, let’s say it requires ~20 decencies, then you remove it later, run the respective dependency clean command, and it only removes lets say ~12 packages. Like where did those 8 dependencies go? Are they just stuck on my system forever? Atomic desktops don’t have this issue which I really appreciate.

[-] tentacles9999@lemmynsfw.com 5 points 3 months ago

May I introduce you to our lord and savior portage?

[-] djsaskdja@reddthat.com 5 points 3 months ago

I have yet to climb Mt. Gentoo.

[-] kuberoot@discuss.tchncs.de 2 points 3 months ago

The 8 dependencies must be an optional dependency for some other package you already have installed. That said, that kind of stuff is the main reason I want to try NixOS - any time I install something, configure something, etc. I'm risking forgetting about it and getting tripped up over it down the line, with no good way to check.

[-] nemith@programming.dev 26 points 3 months ago

I want this but without learning a new functional language to do it.

[-] pimeys@lemmy.nauk.io 19 points 3 months ago* (last edited 3 months ago)

Just waiting for one that requires you to compile one Monad to define your whole distro. Types all the way.

Then I'm writing a blog post how your Linux distro is a burrito.

[-] PerogiBoi@lemmy.ca 13 points 3 months ago

ostree go brrrr

[-] sunoc@sh.itjust.works 3 points 3 months ago

Aeon is the way

[-] iusearchbtw@lemm.ee 15 points 3 months ago

Imagine being so devoid of soul and spirit you turn your OS into kubernetes

[-] shirro@aussie.zone 13 points 3 months ago* (last edited 3 months ago)

Not sold on declarative systems in all domains. It often creates unnecessary complexity for little advantage.

Immutable root has huge benefits in large deployments for consumers, enterprise or servers. Really great for Chromebooks and consoles. Probably would benefit the majority of Windows installations, certainly in enterprise. I do not like the idea of critical systems being updated with random shit becoming standard practice as in WIndows/Clownstrike land. Those guys have normalised insanity to the point they think we are the crazy ones.

However I like to mutate my desktop and development systems. I use linux because I like the freedom to tinker and that includes the freedom to mess stuff up. In practice having root writable only by a privileged user, a signed software distribution and knowing what I am doing mostly keeps me out of trouble. On the very rare occasions I find myself without a bootable system (it has happened to me more than once in 30 years) I know how to recover and it doesn't stress me.

[-] gabmus@lemm.ee 11 points 3 months ago

Oh I definitely am out of touch, but I think I'll live with that 😄

[-] Lettuceeatlettuce@lemmy.ml 9 points 3 months ago

Eh, bring it all on. Part of what is great about FOSS is the vibrant ecosystem. I welcome new stuff, even if I don't have much use for it.

I do think it makes a lot of sense for certain use cases. Like my Steam Deck, great use case for an immutable distro.

Another is school or work deployments where you just need a herd of identical, generic systems or thin clients that run the same small set of applications.

[-] OpenStars@discuss.online 7 points 3 months ago

Hehe, but unix shell scripting can do so much...

[-] Vivendi@lemmy.zip 6 points 3 months ago* (last edited 3 months ago)

I don't need it, I never needed it, and thus I will not use it

If one day I need it I will use it

Capiche?

[-] Pacmanlives@lemmy.world 5 points 3 months ago

I just treat my systems like cattle not pets. Get out of line and I will kill ya and bring a fresh copy online

[-] SeattleRain@lemmy.world 1 points 3 months ago

What's the best immutable OS?

[-] VitabytesDev@feddit.nl 1 points 3 months ago

Is there any declarative OS that is not immutable?

I tried Fedora Silverblue once and it was all fun and games until I wanted to build a driver.

But I really like the concept of declarative systems.

[-] art@lemmy.world 1 points 3 months ago

Immutable and Declarative OS design is simply an option. I think it's a damn good one, but right now, it's not for me. That could easily change in the near future.

The idea excites me. A potential hardened OS that user-friendly could be a great option for Business and Academic computing.

this post was submitted on 06 Aug 2024
344 points (92.0% liked)

linuxmemes

21280 readers
967 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
  •  

    Please report posts and comments that break these rules!


    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 1 year ago
    MODERATORS