I recently took up Bazzite from mint and I love it! After using it for a few days I found out it was an immutable distro, after looking into what that is I thought it was a great idea. I love the idea of getting a fresh image for every update, I think for businesses/ less tech savvy people it adds another layer of protection from self harm because you can’t mess with the root without extra steps.
For anyone who isn’t familiar with immutable distros I attached a picture of mutable vs immutable, I don’t want to describe it because I am still learning.
My question is: what does the community think of it?
Do the downsides outweigh the benefits or vice versa?
Could this help Linux reach more mainstream audiences?
Any other input would be appreciated!
Bazzite is great. I was using Nobara before it, and Solus before that and Bazzite has been the best experience I ever had on Linux, I don’t plan on changing distros as long as it remains a thing.
Then you have NixOS, which is declarative, and fairly immutable.
You don’t have to reboot to make changes, but you can’t just run unlinked binaries either.
You can’t do things like edit your hosts table or modify the FS for cron jobs. The application store is unwritable, but you can sync new apps into it .
You have to make changes to the config file and run a rebuild as root.
just for clarity: you can modify stuff like hosts or cron jobs but it’d get overwritten iirc? you can also make the change in the config and have it persist (reproducibility being the main point, not disallowing you to edit your files)
No, that file is located in the nix store and linked back, If you become root and try to edit /etc/hosts It will complain that you cannot edit the linked file.
If you go and try to edit the store directly you will meet the same kind of dead ends because /nix/store is a ro bind mount
With enough root access, time and persistence you could eventually unwrap its flavor of immutability which is why I said mostly immutable. Compared to most operating systems where you can just slip a quick edit into a cron job it’s leagues ahead.
TIL
guess i just never botheres to try cos config change & rebuild wasn’t much more of a hassle :shrugs:
Could you share some pics (without anything private ofc) of bazzite? I wanted to try it but I couldn’t use it as live distro. My main problem is arch because I’m used to
aptand I find pacman or whatever it uses difficult for me (nothing I can’t learn ofc)I love the idea of getting a fresh image for every update
What do you mean? Thanks
Bazzite comes packaged with the essentials so that anyone can use it without using terminal. Flatpak is enabled by default and this is the best approach. You can check it out below.
https://docs.bazzite.gg/Installing_and_Managing_Software/
If you’re not comfortable yet using any other terminal package manager other than apt, you can still use bazzite and learn with time. You can install most apps through Discover (KDE) or Gnome softwareI don’t have any pics cause I’m not currently near my computer that runs bazzite.
If you’re mainly using GUI apps you’ll probably just be installing everything through flatpak, which you can use via the Discover store that comes with KDE Plasma. CLI apps are installed using homebrew.
The docs might give you some insight on using it: https://docs.bazzite.gg/
Isn’t bazzite fedora-based? Meaning you use
dnfinstead ofaptorpacman.I don’t know what it uses and as someone who always used apt, pacman or dnf is hard to understand
Since it’s immutable, you’ll probably not be using DNF much.
Good point!
I use Aurora Linux which is the sister one to Bazzite, both are Fedora 41 based images. They strongly encourage using the FlatPak approach to installing software. After using it for a few weeks now, I can see why. One of the things with the immutable setup is once you install a program, you have to reboot to get it to run, but with Flatpak, it isn’t so. I think Flatpak has it’s merits - if they have an app which you normally use, then it’s easy enough to install and go.
For the Fedora side of things, you can “layer” apps over it using the rpm-ostree but they encourage you to only do that as a last resort. One of the things they enable you to do is install additional OS’s containerized which integrate with the desktop environment. For example, right now, I can only run Scrcpy in a different OS (That I’ve been able to figure out so far), so I just spin up an Arch OS container and launch it from there, and can interface with my phone normally. As I understand too, the developers plan on disabling layering in a future release. To be honest, I don’t think I have but one thing layered and that’s my Label Printer’s driver.
The benefit for me using the immutable system and this is the hardest thing to grasp for a lot of people including myself is that it truly is set and forget type of updating. With Arch, you can become sort of addicted to checking for new releases, and I’m not going to lie, it’s amazing to get some of the newest releases of your favorite app or browser especially when they fix something. With Arch, it’s generally there. With my system, I turned on auto updates, so it’s not too uncommon to bring the system up in the morning and see that updates have been given (I don’t notice them usually). It’s nice not having to worry about that as much.
Is it stable enough to recommend for non-techy users? Set-and-forget sounds ideal for someone who doesn’t understand (and doesn’t really need to understand) all the updates their machine is doing.
In my opinion so far yes, I’ve only been on it a few weeks, but think of the immutable as locking down the root partition and any vital directories to the OS and not allowing your user to modify anything. In the event of a bad update, it’s easy enough to select the previous boot in Grub and be on your merry way.
I have a special needs adult step-daughter who’s PC I manage and I always need to keep it updated, setting it up on their Bluefin version which uses Gnome which she loves. So, I may do it this weekend. She’s currently on Endeavor OS (Arch based) but it keeps getting kernel updates daily it seems and with those a reboot. Additionally, for whatever reason, her system goes to sleep without warning sometimes so if I’m updating it, it’s gone to sleep. (Super weird). I’ve never had it do this before with Standard Arch linux so I think its something to do with Endeaver. I’ve never bothered to troubleshoot it to be honest. With a setup on the BlueFin (Aurora Linux is KDE), enabling Auto updates should be a breeze and then she’s golden for being updated without my intervention.
I heard both flatpak and immutability are obstacles to developers. How bad is it really?
I’ve had NixOS absolutely refuse to run some compiler toolchain I depended upon that should’ve been dead simple on other distros, I’m really hesitant to try anything that tries to be too different anymore.
NixOS likely only refused to run it because you weren’t running it in the Nix way. That’s not a jab or anything, Nix has a huge learning curve and requires doing a lot differently. You’re supposed to use devshells whenever doing development. If you want something to just work, you use a container.
Whatever issue you ran into most likely had nothing to do with NixOS being immutable, and was probably caused by the non standard filesystem hierarchy, which prevents random dynamically linked binaries from running.
I’ve never heard of flatpak and immutability being obstacles to developers, in fact I generally hear the opposite. Bluefin is primarily targeted at developers, and some apps, like Bottles, will only officially support the flatpak distribution because of the simplicity and benefits it brings over standard distro packaging.
It would be a problem without distrobox. Since that gives you a normal, mutable OS on top, you don’t even notice the immutability.
And Homebrew. I’m a developer and I’ve done all my work just with Homebrew.
if you program using vscodium, do you install a separate vscodium in every distrobox?
Yep, I do currently. I only have one main distrobox.
I had a lot of issues on silverblue using vscodium as a flatpak, I think I will try installing it in a distrobox instead.
It should behave pretty much the same as a normally installed version. Hope it works well for you!
I’ve had NixOS absolutely refuse to run some compiler toolchain I depended upon that should’ve been dead simple on other distros, I’m really hesitant to try anything that tries to be too different anymore.
Yes, some toolchain expect you to run pre-compiled dynamically linked binaries. These won’t work on NixOS, you need to either find a way to install the binary from nix and force the toolchain to use it or run
patchelfon it somehow.Or enabling nix-ld can often get such binaries working.
I switched to silver blue after a bad update and my experience has been almost identical if not smoother than standard fedora
So, you’re saying that immutable is terrible for system uptime.
Uptime is for services, not individual servers.
You have to reboot machines to run secure kernel code. High uptime means running outdated, vulnerable system code.
I need to run immutable distros more, and I need to figure out how to roll my own images.
Desktop side, I need certain things in the base image rather than adding more layers or using a container. Things like rsync, nvim, git, curl, lynx, etc.
Would immutable distros help reach more desktop audiences? Perhaps. It’s more about applications though. The biggest help has been electron apps and the migration to web apps. The Steam Deck is successful because it has applications people want.
Server side, they look really promising for bare metal servers. Provided, there is an easy way to compile custom images. Being able to easily rollback to a known good image is very enticing, as you point out.
I used an immutable fedora on my surface pro 4, I wanted to shoot myself in the face every time I had to install anything. I’m good on that for the rest of my natural life.
Was what you wanted not available in a flatpack/ app image?
Wasn’t about that at all. Any DNF action took a lightyear… man just typing out those long commands (very hard to remember coming from apt) nevermind the much crazier wait time. Using toolbox for dev environments to compile things was a total nightmare. I’m sure there’s a scenario where it’s ideal, that was certainly not my situation.
Gotcha I was just wondering what the limitations are, I’m still messing with and I’ve not hit one yet but I was curious where they pop up. So for devs immutable distros don’t play well, that definitely makes sense!
From what I gather, if you like tinkering and compiling and installing random weird apps then immutable can be a serious pain in the ass like I discovered.
Did you ever try using Distrobox? That’s the recommended way if installing random apps.
I’m not sure that would’ve influenced my situation with a dual core i5-6300U and 4gb ram, it’s a pretty sluggish thing from the get go. But good to know about distrobox maybe that can help me in the future. Now rocking Debian and it’s great.
Debian sounds like a great fit for you. But it’s good to know that Universal Blue has a lot of tools available for installing and tinkering that many just don’t know about. They are extremely powerful OSs.
Immutable, doesn’t mean extreme secure. It’s a false sense of security.
It could be more secure.
But during a runtime, it is possible to overwrite operational memory, mask some syscalls, etc.That’s my 3 cents.
Fully agreed. On almost any atomic distro, /home/user is writeable like usual, so any attacker is able to persist itself by editing
~/.bashrcand putting a binary somewhere.Secure can also mean more resilient. The infosec C-I-A triangle has three legs. Confidentiality, Integrity and Availability. Immutable distros are more resilient and thus offer better availability in the face of attacks or accidents.
I didn’t know that inflation can affect idiomatic expressions.
it doesn’t allow changes to stuff that needs root access to change. If you have root access you can do anything, including switching images. It is not more secure. It’s not less either
It’s definitely great for the mainstream. Think of Linus Sebastian who has somehow broken every OS except for SteamOS.
It’s not great for me who uses Arch Linux btw with the expectation that if the system doesn’t break on its own, then I will break it myself.
And anybody who thinks that Linus doesn’t look for those ways to break Linux is deluding themselves. He’s a fucking asshole.
He can be an asshole, but I believe finding bugs is part of his job.
Would you rather have him find them and complain to a community who might know what they could be, or someone else who will just complain and buy a MacBook instead?
Honestly, I would say it isn’t great for anyone who has to do something low level even once. Now that there are open source nvidia kernel drivers that has solved a pretty big issue for most people who would be interested in immutable distros, but there are still many other drivers and issues that your regular user may face.
One example off the top of my head is that flatpaks specifically can’t ship systemd services if I recall correctly. A lot of wayland apps for thigns like input have to use daemons because of wayland’s security model. Lact for AMD and now Nvidia GPU control, ydotool, or even gui versions of such tools for remapping input.
Snaps require custom kernel modules that aren’t used outside of ubuntu, so I hesitate to trust them regardless of any of the other issues people have with them.
This basically leaves appimages which aren’t available for everything and don’t always seem to work at least not as reliably as flatpak. I even tried to package the rstudio forensic software as an appimage myself, so I could have an easy way to use that proprietary piece of software, but I just couldn’t get it to work. I couldn’t get it to work with distrobox either using the official methods they provide to install it on linux. I did get it working in a chroot for some reason, but it had graphical issues. In the end, I made a PKGBUILD for arch and got it working that way.
The point of all this is that a lot of times people say immutable is great for average, non tech savvy people, but I believe that literally everybody ends up needing to do low level stuff at least once or twice every so often. Which simply isn’t a great experience since you end up having to do layering which throws these theoretical average users right back into the normal complexity of a mutable system, but with even more uncertainty in my opinion.
Now then with all of these caveats. I do still agree that immutable distros are great for the aforementioned group of people and I know this statement contradicts a lot of what I have described above. The reason why I think they are great for the less tech savvy people however isn’t because of any actual technical merit of the systems design though. Immutable distros are great for people like Linus Sebastion because it limits what they can do. You simply have to accept what is there the same way that you have to on proprietary systems like Mac and Windows. Those systems force you to do things a certain way unlike Linux and that is what people like Linus need because they have no business mucking around with the system to begin with.
Lastly, all of this only works because devices like the Steam Deck are being run on specific hardware thus guaranteeing there compatibility. This is what we ultimately need. There would be much less need for low level operations to get drivers or change settings to make wifi or audio work right on a billion different devices if these people were buying linux compatible hardware in the first place.
Weird, I don’t have any issues developing custom systemd services or similar on my Kinoite installation. Packages that need to run on the host system can be layered, everything else is running in distrobox.
You can install packages in immutable distros. It’s just not as easy and recommended as a last resort.
With Universal Blue (Bazzite, Bluefin, Aurora) you can install packages with “layering”. It’s basically modifying the image by adding packages on top of what is shipped by the distro, and those packages get added each time the image is updated.
The better, more involved solution is to create your own image from the base image. That gives you a lot more control. You can even remove packages from the base image.
These are valid concerns but to me they sound more like lack of tooling rather than inherent disadvantages of immutable distros. Linux distros have not historically been designed from the ground up for immutability and it makes sense that there are issues that aren’t handled optimally. Surely we can come up with clean and simple solutions to basic problems like setting up daemons and drivers if we work on it!
what does the community think of it?
It’s important to note how the Linux community interacts with change. In the past, whenever a change has been significant enough to influence individual workflows, it often provoked strong reactions. This was evident when systemd was introduced and adopted by distros like Arch and Debian. Even though systemd was arguably superior in essential aspects for most users, it failed to meet the needs of at least a vocal minority. Consequently, community endeavors were set up to enable the use of Debian or Arch without systemd.
Similarly, the introduction of immutable distributions seems to upset some people, though (at least to me) it’s unjustified. Immutable distributions don’t necessarily alter the traditional model. For instance, the existence of Fedora Silverblue doesn’t impose changes on traditional Fedora; let alone Arch or Debian.
But, overall, most Linux users aren’t bothered by it. Though, they often don’t see a use for themselves. Personally, I attribute this at least in part to existing misconceptions and misinformation on the subject matter. Though, still, a minority[1] (at best ~10%) actually prefers and uses ‘immutable’ distros.
Do the downsides outweigh the benefits or vice versa?
Depends entirely on what you want out of your system. For me, they absolutely do. But it’s important to note that the most important thing they impose on the user is the paradigm shift that comes with going ‘immutable’. And this is actually what traditional Linux users are most bothered by. But if you’re unfamiliar with Linux conventions, then you probably won’t even notice.
As a side note, it’s perhaps important to note that the similarities between traditional distros are greater than the similarities between immutable distros. Also, Fedora Atomic is much more like traditional Fedora than it is similar to, say, openSUSE Aeon or Vanilla OS. Grouping them together as if they are a cohesive group with very similar attributes is misleading. Of course, they share a few traits, but overall, the differences are far more pronounced.
Therefore, it is a false dichotomy to simply label them as traditional distros versus immutable distros. Beyond these names, which we have assigned to them, these labels don’t actually adequately explain how these systems work, how they interact, how their immutability is achieved (if at all), what underlying technologies they use, or how they manage user interactions. The implications of the above. Etc.
Could this help Linux reach more mainstream audiences?
The success of the Steam Deck and its SteamOS are the most striking and clear proof of this. So, yes. Absolutely.
- Not accounting SteamOS users.
Is there debian based immutable distro?
Yes, it’s called VanillaOS! https://vanillaos.org/
Thank you)
Isn’t it based on Ubuntu?
I think it was prior to version 2, but these days it’s based on Sid - https://vanillaos.org/nerd-info
I have investigated the idea and came to the conclusion that immutable distros are essentially a research project. They attempt to advance the state-of-art a slight bit but the cost is currently too great.
Perhaps somebody will some day create something that’s worth switching to. But I don’t think that has happened yet, or is happening with any of the current distros. Silverblue might become that with enough polish, but I feel that to get that amount of polish, they would have to make Silverblue the 1st class citizen, i.e. the default install of Fedora.
Immutable vs Mutable weird normalMore like familiar and unfamiliar
Yeah that’s what they said
The root filesystem is being read from somewhere, and if it’s being read from, it can be written to. Having an extra step or two in the way doesn’t make it “extremely secure”.
if it’s being read from, it can be written to.
Why would being able to read imply being able to write?
Having an extra step or two in the way doesn’t make it “extremely secure”.
Well it can greatly improve security by preventing a compromised app to achieve persistence.
Unless “read-only” is being enforced by hardware (reading from optical media, etc), a compromised sudo user can circumvent anything, and write anywhere. A read-only flag or the root filesystem being mounted from somehwere else are just trivial extra steps in the way.
Improved security != extremely secure, is all I’m saying. There are a lot of things that go into making a system extremely secure, and while an immutable root filesystem may be one of them, it doesn’t do the job all on its own as advertised in this post.
