Hey! I’m currently on Fedora Workstation and I’m getting bored. Nothing in particular. I’ve heard about immutable distros and I’m thinking about Fedora Kinoite. The idea is interesting but idk if it’s worth it. CPU and GPU are AMD. Mostly used for gaming.
I see many people here wondering, why they should consider an immutable system.
As someone, who thought the same a few months ago, and now chose Silverblue, here are reasons why:- Atomic updates: never worry about half applied installations anymore. Either your OS updates successfully, or it will just work like before.
- Less bugs and better security: every install is the same, so devs can fix one bug or exploit, recreatable on every system.
- Automatic updates (configurable): they get downloaded by the way, without you noticing. And if you reboot anyway, you boot into your updated OS. No waiting times. The system manages itself.
- Way harder to break
- Changes are easily undoable: if an update breaks anything, you can just select another image and reboot, without recovering anything.
- No junk accumulation over time, the OS is kept clean
- Clear distinction between “your” stuff and the OS
- You can “swap out” the base OS cleanly and keep your stuff. Want KDE? No need to reinstall, just paste one command and delete everything Gnome-related, and you are now on Kinoite.
- Flexibility: choose between dozens of different images, like one that replicates SteamOS or Ubuntu, has the MS Surface kernel build in, offers Hyprland, and so on…
- And much more!
My #1 reason is, that everything is worry free.
Those advantages above don’t apply to “normal” OSs, even, if I keep everything in Distrobox and Flatpaks.
Immutable OSs aren’t called “The future of Linux” without reason. They usually shouldn’t impair anyone, and make the whole Linux ecosystem better in any aspect.
I’m sorry but none of the above sound different from a regular distro. Maybe I haven’t got the gist. You can have snapshots and atomic updates on a regular distro, you don’t have to reinstall to switch from Gnome to KDE, I can install all kinds of stuff cleanly anyway thanks to package managers, I don’t use root often so the system files are effectively read-only as far as I’m concerned, and so on.
As far as security is concerned I don’t see the big deal, I mean I get why a read-only OS would in theory be harder to break into but it can still be modified for updates so I guess it’s not really “immutable” after all.
What am I missing?
Edit: before anybody points it out, I do know about the rebase layers and I think it’s an interesting approach, but ultimately still gets the same results as packages. It may be helpful for distro builders but doesn’t make much difference as a user.
You’re correct. But, and here’s the big but, the whole immutability-thing isn’t something the user should be worried about at all.
On Android for example, the system is read-only too, and pretty much nobody cares too, because it was always designed this way and it doesn’t inhibit functionality.
It is mainly a big pro for developers in how I see it. See, every installation creates some package drift. One dependency here, one extra program there, no problem.
But in sum, there will accumulate hundreds of “bloat”-packages over the years, which add many unknown vulnerabilities and bugs that are completely individual to your setup.
And then it will begin: a program crashes here, there’s your black screen, and every dev on the issue report says " closed, can’t replicate". And after an OS-reinstall, it works again.And if you want to install KDE on Pop!OS for example, it is highly individual and there are still some packages you didn’t see, and it will be very buggy. Some buttons that are misalligned, misconfigured drivers, and so on.
I tried changing the DE on my normal Fedora one time and even though I thought I did everything correct, I had to reinstall due to screen tearing/ flickering, many misconfigurations, and so on.On Silverblue, it’s a process of 5 minutes max, and then my setup will be the same as the one from thousand other people.
Ah but on Android they have very rigid rules about partition size, and lots of specialized partitions.
Speaking of which, do you happen to know how immutability is achieved on these Linux distros? Do they mark the system partition read-only, or do they use cgroups, or is it an intrinsic property of the layers?
Package confusions like you describe are always the mark of a poorly designed package system. deb and rpm are positively ancient. deb distros are notorious for multi-repo hell because each repo only has its own limited dependency scope.
You should not have issues like you described on any sane distro. A package is either in a meta package or not. Dependencies should be clear and if something was not explicitly installed it should be cleared out when the thing that depended on it was uninstalled.
Yes you can do all this with regular distros but not as conveniently. Especially cleanly switching from gnome to kde and vice versa is a nightmare. And by switching I mean removing one completely(including dependencies) and installing the other.
Why a nightmare? It should be very easy on any distro with well organized packages. Remove gnome meta-package, install kde meta-package.
its an easy: sudo apt install task-kde-desktop; sudo apt purge task-gnome-desktop; sudo apt autopurge
In testing or unstable this can be a problem though.
I feel like, many people just don’t understand exactly how a distro and package managers work. immutable os feels like it allows priotizing only on on a small core part of the distribution which is immutable and slapping everything else on via flatpak or snap.
i don’t like it and i sometimes wonder if we are not going backwards with that approach.
I’m not one hundred percent on the train of immutable, however, i have undertakes nixos and don’t user flatpak/snap. The nix configuration file is where i install everything.
But while.i agree its not super hard to switch DEs on something like ubuntu etc. But one cool thing on nix (which i think you can do on any distro with nix package manager installed) is that you can test the package without installing it at all. The roll bavk id also nice cuz ive had situations where apt gets “broken” ive always been able to fix it with a little searching but its always frightening. Knowing that nix can go back to an old config at anytime makes me a little more comfortable
Funnily enough, I like nix. The concept is way ahead of silverblue and the likes. With nix nothing is hidden behind a compatibility layer. I feel like if we really need immutability, nix is the way to go.
I always depencies left around from the DE that was removed. Maybe it is because my commands are not the right one but I follow what is recommended by the distro wikis. Like if I am using gnome and then download kde just to try it out(without removing gnome), don’t feel like using kde and remove it, I have packages and dependencies leftover from kde when I uninstall it. Neofetch too show an increase in packages even though the only action done was installing kde and uninstalling it
I can’t recommend Silverblue enough.
Thing is: on the “surface” it’s not that much different than the “normal” Fedora and it’s spins.
So, if you want something hugely different on the base, I’d recommend NixOS instead. Nix feels like “the new Arch” for me and is the tinkerer’s dream. It appears to be very complicated too, so it should keep you “not bored” as you said.
I personally wouldn’t use NixOS though, as I am just a “casual” user and don’t want to over-complicate everything.I personally am very happy with Silverblue, especially due to one reason: the ability to rebase to many many images.
As other commenters have stated, there’s a project called uBlue.
It allows you to swap out the base OS (everything except “your stuff”) with one command, so you can rebase to many different community spins and different desktops cleanly.The uBlue base OS is just Vanilla SB with some QOL stuff added, like codecs and other stuff. It is really a “just works” distro, that manages itself and functions in the background without you noticing.
The other spins give you different DEs, preconfigured drivers, opinionated approaches to different DEs, a SteamOS clone, and so on…
Absolutely great, 10/10
I might try Nix first and see how it goes, if that fails I’ll try Kinoite (I prefer KDE :)) thanks for the input :)
If you want to try Nix, go for it!
Feel free to update us all :).When I said Silverblue, I actually meant “atomic Fedora variants”, which include uBlue and Kinoite. You can always switch between those with one command and 2 minutes of download time :)
Well, actually this is not the first time me thinking about NixOS. But I tried reading their docs again and… I CANNOT be asked to deal with this. I’d probably be more likely to do LFS than learn NixOS lol I feel stupid now, saying I’ll try NixOS. As much as I want to, the docs are horrendous
tbf the docs are in the format of manuals, i.e. only useful if you already know what you’re looking for or have lots of time. If you don’t, read blog posts and nixos.wiki.
Hi! I’ve been using Fedora Kinoite (and now Bazzite Desktop) for about a year.
I’d say bazzite desktop would be a good fit for you if you want to give an immutable desktop a try. It automatically sets up an arch distrobox for steam and lutris, it even has one click installers for things like oversteer in the post-install welcome screen, it auto-updates and is generally just quite a nice improvement on based Fedora Kinoite.
Immutable distros ARE used differently, you will mostly use flatpaks for basic apps (Although a lot of people do that anyway), but any traditional packages you want to install will be done in distrobox. You CAN overlay packages to the base system, but it should be seen as a last resort.
Let me know if you have any questions :)
Interesting. Standard question, why Kinoite and why Bazzite over others? Aren’t you worried bazzite is more bloated than pure Kinoite? Or is that just my mutable distro fear lol Any resources about distrobox/layering etc you recommend?
I use Kinoite over silverblue and other Fedora versions simply because of the desktop. I choose Fedora atomic over other immutable distros because I simply think it’s the easiest/most convenient. VanillaOS might be pretty good, but from what I can tell it’s on an Ubuntu/Debian update schedule which isn’t what I want. I tried NixOS but it’s complexity just wasn’t appealing.
I use Bazzite over Kinoite because it has all of the tweaks I want, honestly the amount of “bloat” isn’t as crazy as you’d imagine.
I don’t have any resources about distrobox unfortunately, but I’m sure they’re around.
Awesome, thanks for the reply. VanillaOS is out then, I really despise anything ubuntu. I’ll try nix on my spare laptop and try Kinoite if that fails. Thanks :)
Just know, it taken me three attempts at Nix, my first 2 lasting a day to a week and my last lasting a month. It’s NOT something you’re going to jump into without a LOT of learning and googling. Try it as an experiment on something you do not depend upon.
Funnily enough, it seems the VanillaOS team does to since for their 2.0 release they dropped their Ubuntu base. Even if you’re not a Debian guy, I’d recommend checking them out since they’re doing really cool stuff no one else is.
Maybe when they introduce KDE, GNOME is meh for me
What do you mean by bored¿? Because you will be similarly bored by silverblue or kinoite. They are built to be stable and somewhat boring
Idk, I might be just trying to find something to tinker with, immutable is kind of “new flashy” thing :P
Tinkering on silverblue is similar to tinkering on fedora (at least in my experience) just more restrictive in that the read only parts can’t be changed(obviously) and tinkering with packages requires reboots and layering. The good thing is you can rollback to easily undo shit.
Why do all these immutable distros not support use of secure boot and/or TPM. If there was one that made it a breeze to configure this and made using my AURs easy as well I probably could give immutable a chance. But ATM it all looks like I’ll have to wait until a major corp like Ubuntu made & supported an immutable version so we can get these quirks hashed out.
I believe Universal Blue supports Secure Boot, since they specifically went to make it work for even Nvidia users - I’m assuming it works similarly for the non Nvidia variants or maybe just uses Fedora’s default keys? I’m not too well versed in how SB works.
Then it also comes with Distrobox so you can just spin up an Arch container and use AUR apps through there.
RedHat & Debian family desktop distros use a key that is signed by Microsoft for supporting secure boot. For compatibility reasons mostly as some hardware will brick when the MS signed keys are not found. But I prefer to sign my own keys and enroll them as I currently do with sbctl. I have no need for extra kernel modules/drivers as Nvidia users would (seems like a hacky workaround if the kernel can’t ship the drivers and signing your own kernel makes the situation even more complicated).
However I have been meaning to try Distrobox, if I get around to trying out immutable I will give it a good run.
Ah gotcha, I appreciate the info! I hope that someday a better solution for managing secure boot will work with immutable distros in the future then, so that you have a chance to give it a try (if you want to, of course).
Am already sold on immutable distros as the future of desktop Linux. 8/10 applications that I use today are flatpaks or dockers. That remaining 20% of the work to be done on immutable is what am anxious about.
Here’s secure boot for NixOS: https://github.com/nix-community/lanzaboote/
Yeah. Came across it when it was released. It’s still considered experimental.
And am sure NixOS is great but it definitely is a weird operating system.
I’m not sure what you mean exactly but I use Silverblue with secureboot on and a LUKS encrypted drive using a fido2 key. To my knowledge I also could configure the use of TPM to store my key but find that setup not to my liking.
This summary should cover my main concerns with current secure boot implementations on the major distros. Ignore everything else other the linked part. I also would not want to be forced to use grub as the bootloader.
Curious. What did you not like about using TPM to store keys in your setup? I use TPM for secure state validation & automatic decryption of my LUKS drive, it’s great and also acts as a tripwire for secureboot state.
I could build a custom version of Silverblue (u-Blue) to replicate what I already have setup, but none of this would be supported configuration. All this is not entirely to blame on on immutable distros (traditional distros don’t give a damn about secure boot either way), just that to mess around within /etc is a no-no in such a model so to get multiple pre-configured options for secureboot configs/keys that work seamlessly would be a great experience for me.
My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?
Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.
What do you think of this?
My (maybe flawed?) thoughts: Why bother with full disk encryption if one could just boot the notebook to undo the encryption?
If it were that easy to do, we wouldn’t have even bothered with doing disk encryption in the first place. And it’s not like cracking TPMs is a walk in the park.
Using my yubico fido 2 key in combination with a small PIN I can easily decrypt my LUKS drive and know nobody else can decrypt it as long as I have my yubico with me.
This definitely could help in a scenario where an attacker has only your notebook but for it to make a difference your attacker must not be able to access your Yubikey and/or compel you to hand it over.
As long as your LUKS drive is encrypted (TPM or not, Yubikey or not), you are relatively safe from an unauthorized party trying to access your data. Either of these attestation tools add a layer of defense for your encrypted drive.
Immutables are an amazing idea. I just wish Arch (EndeavourOS) had it.
Isn’t SteamOS immutable and Arch based? Surely there’s also a more general purpose distribution that does that.
Yup, true
I think they have a place, but personally speaking, I feel they stifle tinkering. So they’re a “no” for me.
I feel the exact opposite – I feel like they encourage tinkering in their own way, since they offer the ability to much more easily roll back to a known good configuration.
I think immutable OSes serve two purposes: For the developer who needs to operate multiple environments at the same time, and for the utter novice who could screw something up otherwise.
This audience, us, is the exactly middle ground. We like tinkering. We like setting things up.
So, I don’t think immutable OSes are for us.
Not true in my opinion.
You can still tweak the image to your liking, you just have to approach it differently.One of the many things image based OSs offer is peace of mind.
It’s just great to know my PC will work just as fine tomorrow as it did today, and I don’t have to fix anything.I can definitely see what you’re saying. But if you start to add packages, what do you gain in terms of known stability? Seems to me you might as well then just “be good” about not adding too many packages to a malleable distribution.
If you use the workflow of an immutable system on a traditional one, you have almost all the disadvantages of the first and pretty much no advantages of the second.
The “immutability” (you can still change stuff) is the wrong thing to look at.
I prefer the term “image based”, that fits better. Everytime you update your image system for example, it gets “pulled” or compared to the original image.On a traditional one, you have your original image you once downloaded, and that’s it.
Over time, it will still change due to updates and stuff. An immutable is basically a “fresh install” every time.Most immutables use layering, so you still pull the original image, but after that some stuff gets changed.
It is generally strongly discuraged to install stuff (like GIMP and so on) directly. It should only be the last option, like for drivers.But even when you directly install, you don’t use all the benefits. The OS is still rebuilt every time and package drift barely happens.
And, back to the beginning, the pros and cons.
It’s like with PDFs. Yeah, it sucks that you can’t edit them. But that’s what they’re built for. They can’t be tampered with, but therefore they look the same on every device and you don’t have to worry about fonts, formatting or symbols.And on immutables it’s the same: some stuff is a bit more different/ complicated for some, but at the same time, they’re less buggy, more secure, offer instant rollbacks, can be customized and rolled out super quickly, and much more. Read my other comment for more information, including customization by building custom images :)
Yeah man I don’t know. I used to think I like tinkering(used endeavour for a few months) but I am enjoying the no maintaince life with uBlue very much. Most of the time the system updates on its own and I am not even aware that the system updated. Same with flatpaks which also auto update so they are always on the latest version provided by flathub when I use them. But I also like gnome so maybe I am not the tinker lover I thought I was
If you are bored, no reason to change hahaha. If you want an always running system, use Kinoite.
I’ve been using Kinoite for a couple of years now on my Thinkpad. What would you like to know?
How much did you have to adapt to the new app installing workflow? If you know what I mean
I learned quickly that installing apps the traditional way causes pretty major instability. You’re basically rebasing the entire OS via ostree to install one application. After my second nuke and pave due to updates no longer working from me rebasing I took the time to learn toolbox so if a flatpak is not available I can still use an application (containerized) without altering the OS. Toolbox by default pulls in another Fedora install as the app base. I recommend using Alpine instead, much smaller and lighter.
I guess the moral of the story is learn to install applications the correct way, or just don’t use an immutable OS
Noted haha I’ll think about if I want to use Kinoite, Nix is first place rn I think haha
If nearly all of your gui apps are available as a flatpak, it’s simple to adapt. While I was using Silverblue I set my terminal up to launch directly into a distrobox, which gave me a regular container to install apps with a regular package manager (e.g. pacman in my case).
If I used Silverblue today I’d use the Nix package manager (with home manager) to install all my cli apps.
I personally don’t like them. I just keep my system clean and use distrobox and flatpak
This is why fedora had a little bar after rebooting when I updated right? What am I a Windows user?!? This is the extent of my understanding of immutable distros and I am furious with them.
I don’t know what you mean with your comment?
The progress bar on Gnome-based distros like Fedora and Ubuntu was their offline install.
This increases the likelihood of a successful update without borking your system.
You can always deactivate that or update via terminal.It has nothing to do with immutable OSs. Actually, most of them even update without you noticing, which is quite convenient imo!
I was mostly joking and I might have been mis-attributing the delay. From the time’s I’ve had Fedora, including with KDE, if I update I have a pause during the next boot where I have to let the install finish before getting back to functional. My belief was that this was because the immutable system could not be running while updating, compared to non-immutable where a standard reboot works with a new kernel et al.
Edit: Tumbleweed is not immutable, you learn something new every day, especially from your mistakes 🙃 (it’s still a really nice distro)
Personally really happy with my choice of Immutable Distro: OpenSuse Tumbleweed. To me, who is half a year into using linux, its very convenient to use an immutable system as IF i were to do a wrong command or whatever its super easy to rollback the system (at least on Suse as it uses btrfs-filesystem). Another thing worth mentioning which is also why I chose to go with immutable is that it really teaches you “the good standards” of where to tinker with files and where not to, at least for a beginner like myself this is very nice.
Tumbleweed isn’t immutable
Tumbleweed isn’t immutable… Aeon (previously MicroOS Desktop) is.
Oh wow, won’t you look at that! 😅 Well that jsut shows my lack of experience I guess. I swear I heard it somewhere and just believed it was. Or maybe I misread and read that MicroOS and Aeon was, therefore assumed Tumbleweed was… My bad!
Noted, thanks :)