I recently took up Bazzite from mint and I love it! After using it for a few days I found out it was an immutable distro, after looking into what that is I thought it was a great idea. I love the idea of getting a fresh image for every update, I think for businesses/ less tech savvy people it adds another layer of protection from self harm because you can’t mess with the root without extra steps.
For anyone who isn’t familiar with immutable distros I attached a picture of mutable vs immutable, I don’t want to describe it because I am still learning.
My question is: what does the community think of it?
Do the downsides outweigh the benefits or vice versa?
Could this help Linux reach more mainstream audiences?
Any other input would be appreciated!
Since the idea is that the “root partition” is immutable, serious question:
How do you fix a hardware config issue or a distro packaging / provision issue in an immutable distro?
Several times in my Linux history I’ve found that, for example, I need to remove package-provided files from the ALSA files in
/usr/share/alsain order for the setup to work with my particular chipset (which has a hardware bug). Other times, I’ve found that even if I set up a custom.XComposefile in my $HOME, some applications insist on reading the Compose files in/usr/share/X11/localeinstead, which means I need to be able to edit or remove those files. In order to add custom themes, I need to be able to add them to/usr/share/{icons,themes}, since replicating those themes for each $HOME in the system is a notorious waste of space and not all applications seem to respect/usr/local/share. Etc.Unless I’m mistaken on how immutable systems work, I’m not sure immutable systems are really useful to someone who actually wants to or needs to power user Linux, or customize past the “branding locking” that environments like Gnome have been aiming for for like a decade.
My guess would be: have an additional overlay filesystem on top of your immutable root and apply all your fixes to it.
On the one hand sounds sensible, on the other hand I wonder if that’s possible when wanting to apply things that need to take place as early in boot as possible (eg.: modprobe options for a module, apparmor profiles, …).
I’ve used Bazzite for the last year or so after distrohopping for a while and landing on Arch. I learned how ‘atomic’ distros, as the Fedora folks call them, work. It sounded like my phone, where apps are relatively sandboxed and automatically update. I said ‘this is how computers should work’ and stuck to it.
I wouldn’t use standard Silverblue/Kinoite or standard Fedora. The uBlue images include so many drivers and fixes on the image that make the primary distros look incompetently made if you’re not a power user. They wouldn’t like me saying that because their work is only possible because of what Fedora does. But by that I mean, you will eventually run into something that doesn’t work and it always comes down to some licensing or scope issue that the developers simply don’t care about.
Having to do literally anything extra to get your NVIDIA GPU drivers frankly isn’t acceptable when that’s not the case for AMD cards. Let alone having to modify grub in the worst case if your distro doesn’t boot properly. If I have a part or plug something in that isn’t some hyper specific piece of technology, it should just work, because it isn’t 1999 where you need driver CDs anymore.
The main tradeoff is that for users who aren’t very technical, installing anything outside of flatpaks probably won’t make any sense. They have guides, and stuff like brew and distrobox isn’t that difficult when you understand it. But having 4 different ways to install stuff (flatpak, brew, distrobox, layering) sounds ridiculous and confusing on its face.
I have a practically 0 maintenance system with Bazzite and that’s the way I like it even though I’m perfectly capable of running anything else and modifying it to my liking. The average user isn’t going to care about anything they’re missing by not being able to modify certain files, or if they do, there’s probably a better way to do whatever it is they’re trying to do that doesn’t involve running random bash scripts.
I would recommend Aurora and Bluefin to all my Windows/Mac friends who aren’t gamers, and Bazzite or Bazzite-gnome to everyone who is. I would never recommend anything else at this point, not even something like Mint, because I consider the uBlue images to be just that good and the tradeoffs of the weird program installation to be more than worth it. Other immutable/atomic distros are too immature (like Arkane Linux) or work fundamentally differently to Fedora Atomic and rely more on things like snapshots (like OpenSUSE Aeon/Kalpa) so I’m not really comfortable recommending them either.
Bazzite is great. I was using Nobara before it, and Solus before that and Bazzite has been the best experience I ever had on Linux, I don’t plan on changing distros as long as it remains a thing.
Immutable vs Mutable weird normalMore like familiar and unfamiliar
I personally vastly prefer mutable distros for my own system, but I understand the appeal for those who like them. As long as mutable distros remain an option I don’t mind immutable distros.
It’s definitely great for the mainstream. Think of Linus Sebastian who has somehow broken every OS except for SteamOS.
It’s not great for me who uses Arch Linux btw with the expectation that if the system doesn’t break on its own, then I will break it myself.
And anybody who thinks that Linus doesn’t look for those ways to break Linux is deluding themselves. He’s a fucking asshole.
He can be an asshole, but I believe finding bugs is part of his job.
Would you rather have him find them and complain to a community who might know what they could be, or someone else who will just complain and buy a MacBook instead?
Secure != stable Immutable distros aren’t always more secure but rather more stable and hard to break Also btw nixos can apply updates without rebooting
I am a big fan of breaking my system
Stock fedora is just for you my man, it breaks by itself
Manjaro enters the room…
arch >>>>
Arch doesn’t break by itself tho, well… If you don’t update it for few months then yes, it breaks by itself
Exactly. Arch is just better for the user to break. I like to break my system, not the system breaking by itself.
Immutable, doesn’t mean extreme secure. It’s a false sense of security.
It could be more secure.
But during a runtime, it is possible to overwrite operational memory, mask some syscalls, etc.That’s my 3 cents.
it doesn’t allow changes to stuff that needs root access to change. If you have root access you can do anything, including switching images. It is not more secure. It’s not less either
Fully agreed. On almost any atomic distro, /home/user is writeable like usual, so any attacker is able to persist itself by editing
~/.bashrcand putting a binary somewhere.I didn’t know that inflation can affect idiomatic expressions.
Secure can also mean more resilient. The infosec C-I-A triangle has three legs. Confidentiality, Integrity and Availability. Immutable distros are more resilient and thus offer better availability in the face of attacks or accidents.
I think it’s good if you have a ton of storage and want to set it and forget it. For me, immutable depresses me. I came to Linux for the tinkering and the ability to do what I please to my system, not to be restricted. That’s just me, though. For handhelds/strictly gaming machine (a Steam machine for example)? I think immutable is the perfect fit for it.
Do you have any examples of the kind of “tinkering” you couldn’t do with an immutable distro? I haven’t run into any restrictions after more than a year.
You can’t even install packages using sudo. You can, but they’ll be overridden on next update.
… why would you want to install packages with
sudo? The proper way is to install them (as a user, not root) usingrpm-ostree, which will layer the packages on top of the image, automatically installing them for every future system as well.You haven’t actually looked into immutable distributions, have you?
I admit that I didn’t know about how rpm-ostree is capable of what you mentioned, but I still don’t like immutables for the other reasons I’ve mentioned. I did look into them and I can’t use them. I like my regular distro
I keep hearing this, but people never elaborate on those “other reasons”. Did I miss where you mentioned them?
You mentioned storage, but AFAIK atomic Fedora doesn’t use more space (unless you keep multiple versions for rolling back).
I don’t want to deal with images. I don’t want to have to be cleaning the system from those images to reclaim my storage. I dislike flatpaks, snaps and appimage on which immutable distros rely. The lack of customization as you can’t modify system files or install traditional packages outside the immutable framework, which limits personal tweaks. Apps availability, not all apps on the planet exist in flatpaks. The learning curve. Having to change the way I interact with my computer completely, I’m too fucking lazy for that and way too cozy where I am. They’re just a burden that I don’t want to deal with and I hope that that’s ok with you. Lmao
Of course it’s ok! You do whatever you want. Though I’d like to clear up a couple of misconceptions:
I don’t want to deal with images. I don’t want to have to be cleaning the system from those images to reclaim my storage.
You don’t have to, happens automatically.
I dislike flatpaks, snaps and appimage on which immutable distros rely.
Fair, though you don’t have to use them at all - you could run everything in a distrobox.
The lack of customization as you can’t modify system files or install traditional packages outside the immutable framework, which limits personal tweaks.
This really depends on what system files you mean. Anything in
/etc/? Fully writable. Everything is configurable either in your home directory or in/etc/, so I haven’t run into any issues with not being able to modify something - and if you do run into that, you always have distrobox.Apps availability, not all apps on the planet exist in flatpaks.
Don’t need to, you have distrobox for that.
The learning curve.
That’s fair. It’s been very small for me, and the issues have helped me become a better Linux developer, but it does bring its own problems in some cases.
Having to change the way I interact with my computer completely, I’m too fucking lazy for that and way too cozy where I am.
That’s the thing, I hear this a lot, and I just don’t know what the big changes are. I installed Kinoite, set up a distrobox, and have been smooth sailing since - all my previous installations have had far more issues, and I just haven’t really changed much (besides switching from Ubuntu to Fedora, but I’m happy about that, fuck Canonical).
N I x o s
Nix is atomic, not immutable
Well it’s a bit confusing. On Guix’ wiki General features you can read:
Guix keeps track of these references automatically so that installed packages can be garbage collected when no other package depends on them - at the cost of greater storage requirements, all upgrades in Guix are guaranteed to be both atomic and can be rolled back.
The roll-back feature of Guix is inherited from the design of Nix and is rarely found in other operating systems, since it requires an unorthodox approach to how the system should function (see MicroOS).
And then on its wiki Guix System (operating system) Roll-back you can read:
This is accomplished by a combination of Guix’s functional package manager, which treats each package and system configuration as an immutable and reproducible entity,[58] and the generation system which maintains a history of system configurations as “generations.”
So the system configurations on a Guix system are actually immutable, as opposed to regular gnu+linux distributions, which can change the system configuration on the fly. What else is immutable on Guix, I can’t tell, but at least you can not change its system configs. What is atomic is the upgrades.
I’m not sure, but as Guix borrowed these properties from Nix, I’d think this applies to Nix as well.
In other words, at least the Guix system has immutable components. And further, the system config which is immutable, is also declarative. Combining those two things might be intimidating, since it’s not like on the fly one can go and change the system config, which might be required when debugging some misbehavior, and it’s what most distros document, then one needs to learn about guile, and a bit about functional programming I guess or at least their basics… Deploying systems might take advantage of such declarative configurations though…
is nixos considered immutable or mutable? kind of has characteristics of both.
nixos and guix are immutable and two of the only immutable distros I like
I heard both flatpak and immutability are obstacles to developers. How bad is it really?
I’ve had NixOS absolutely refuse to run some compiler toolchain I depended upon that should’ve been dead simple on other distros, I’m really hesitant to try anything that tries to be too different anymore.
I’ve had NixOS absolutely refuse to run some compiler toolchain I depended upon that should’ve been dead simple on other distros, I’m really hesitant to try anything that tries to be too different anymore.
Yes, some toolchain expect you to run pre-compiled dynamically linked binaries. These won’t work on NixOS, you need to either find a way to install the binary from nix and force the toolchain to use it or run
patchelfon it somehow.NixOS likely only refused to run it because you weren’t running it in the Nix way. That’s not a jab or anything, Nix has a huge learning curve and requires doing a lot differently. You’re supposed to use devshells whenever doing development. If you want something to just work, you use a container.
Whatever issue you ran into most likely had nothing to do with NixOS being immutable, and was probably caused by the non standard filesystem hierarchy, which prevents random dynamically linked binaries from running.
I’ve never heard of flatpak and immutability being obstacles to developers, in fact I generally hear the opposite. Bluefin is primarily targeted at developers, and some apps, like Bottles, will only officially support the flatpak distribution because of the simplicity and benefits it brings over standard distro packaging.
It would be a problem without distrobox. Since that gives you a normal, mutable OS on top, you don’t even notice the immutability.
if you program using vscodium, do you install a separate vscodium in every distrobox?
Yep, I do currently. I only have one main distrobox.
I had a lot of issues on silverblue using vscodium as a flatpak, I think I will try installing it in a distrobox instead.
It should behave pretty much the same as a normally installed version. Hope it works well for you!
Immutable distros are great for applications where you want uniformity for users and protections against users who are a little too curious for their own good.
SteamOS is a perfect use case. You don’t want users easily running scripts on their Steam Decks to install god knows what and potentially wreck their systems, then come to Valve looking for a fix.
Immutable distros solve that issue. Patches and updates for the OS roll out onto effectively identical systems, and if something does break, the update will fail instead of the system. So users will still have a fully functional Steam Deck.
If you’re not very technical, or you aren’t a power user and packaged apps like Flatpaks are available for all your software, then go for it. I prefer to tinker under the hood with my computers, but I also understand and except the risk that creates.
Immutable distros are a valuable part of a larger, vibrant Linux ecosystem IMO.
So Bazzite basically is an immutable 3rd-party SteamOS. It was originally designed for handhelds (though has desktop images now) and includes the Steam Deck’s
gamemodepackage. That means it has the same interface, but working on a Legion Go or an Ally X. If anyone here has* any of those three you should seriously check it out!The other thing as well is that more often than not, the update will succeed and you won’t figure out until the next boot that something is wrong. However, Bazzite has a rollback tool so you can just change back to the previous image, reboot again and get to gaming.
That’s the best reason for immutable for gaming IMO. I don’t want to be fucking around with the OS when I’m in the mood to game. Being able to quickly rollback and jump into things in ~10 minutes or less is how it should be.
Immutable are the ultimate tinkerer’s distros. It’s just a different way of tinkering. True tinkering in immutable means creating your own image from the base image and that allows you to add or remove packages, change configs, services, etc.
Example: you create your own image. You decide you want to try something, but you’re being cautious. So you create a new image based on your first with your changes. You try it out and you don’t like it or it doesn’t work for some reason, you can just revert back to you other image.
Another thing worth mentioning, with these distros, you can switch between images at will. I’m new to Linux as my daily driver desktop OS, and I’ve rebased three times. It’s really cool to be able to do that.
Don’t know why this would be downvoted. Atomic distro’s are a tinkerers paradise, as all of it can be done fearlessly. I can make stupid changes to configurations that I don’t understand on NixOS, then when things break, simply revert the git commit and rebuild. (Or reboot to the last build if I broke it bad enough).
Who knows. People are passionate about Linux. And downvoting takes no effort. And people downvote stuff randomly.
- You can still apply updates live, e.g. on Bazzite (Fedora Atomic) with the
--apply-livetag (or however it’s spelled). - The root partition isn’t read only per se, but you have to change the upstream image itself instead of the one booted right now. You can use the uBlue-Builder for example to make your own custom Bazzite spin just for you if you want.
- Both aren’t inherently secure or insecure. It’s harder to brick your system, yeah, for sure, but you can still fuck up some partitions or get malware. It’s just better because everything is transparently identifiable (ostree works like git), saved (fallback images), containerised and reproducible.
- And you can still install system software, e.g. by layering it via rpm-ostree. Or use rootful containers in Distrobox and keep using apt or Pacman in there.
I run bazzitr and distrobox is amazing. No need to worry about distro when some devs only provides deb only.
- You can still apply updates live, e.g. on Bazzite (Fedora Atomic) with the
