I recently took up Bazzite from mint and I love it! After using it for a few days I found out it was an immutable distro, after looking into what that is I thought it was a great idea. I love the idea of getting a fresh image for every update, I think for businesses/ less tech savvy people it adds another layer of protection from self harm because you can’t mess with the root without extra steps.
For anyone who isn’t familiar with immutable distros I attached a picture of mutable vs immutable, I don’t want to describe it because I am still learning.
My question is: what does the community think of it?
Do the downsides outweigh the benefits or vice versa?
Could this help Linux reach more mainstream audiences?
Any other input would be appreciated!
I need to run immutable distros more, and I need to figure out how to roll my own images.
Desktop side, I need certain things in the base image rather than adding more layers or using a container. Things like rsync, nvim, git, curl, lynx, etc.
Would immutable distros help reach more desktop audiences? Perhaps. It’s more about applications though. The biggest help has been electron apps and the migration to web apps. The Steam Deck is successful because it has applications people want.
Server side, they look really promising for bare metal servers. Provided, there is an easy way to compile custom images. Being able to easily rollback to a known good image is very enticing, as you point out.
I’m much more comfortable trying things that I’m not sure will (or expect not to) work. I can just blast the toolbox or whatever afterwards.
Compare to some of my earlier forays into Linux, where I’d do some nonsense and then attempts to remove said nonsense would break some other load-bearing part of the OS.
Immutable distros are great for applications where you want uniformity for users and protections against users who are a little too curious for their own good.
SteamOS is a perfect use case. You don’t want users easily running scripts on their Steam Decks to install god knows what and potentially wreck their systems, then come to Valve looking for a fix.
Immutable distros solve that issue. Patches and updates for the OS roll out onto effectively identical systems, and if something does break, the update will fail instead of the system. So users will still have a fully functional Steam Deck.
If you’re not very technical, or you aren’t a power user and packaged apps like Flatpaks are available for all your software, then go for it. I prefer to tinker under the hood with my computers, but I also understand and except the risk that creates.
Immutable distros are a valuable part of a larger, vibrant Linux ecosystem IMO.
Immutable are the ultimate tinkerer’s distros. It’s just a different way of tinkering. True tinkering in immutable means creating your own image from the base image and that allows you to add or remove packages, change configs, services, etc.
Example: you create your own image. You decide you want to try something, but you’re being cautious. So you create a new image based on your first with your changes. You try it out and you don’t like it or it doesn’t work for some reason, you can just revert back to you other image.
Another thing worth mentioning, with these distros, you can switch between images at will. I’m new to Linux as my daily driver desktop OS, and I’ve rebased three times. It’s really cool to be able to do that.
Don’t know why this would be downvoted. Atomic distro’s are a tinkerers paradise, as all of it can be done fearlessly. I can make stupid changes to configurations that I don’t understand on NixOS, then when things break, simply revert the git commit and rebuild. (Or reboot to the last build if I broke it bad enough).
Who knows. People are passionate about Linux. And downvoting takes no effort. And people downvote stuff randomly.
if something makes linux more secure, safer or easier to use then it’ll be hated because people in the linux community are allergic to all those things. Secure boot? they hate it, wayland? they hate it, immutability? they hate it, flatpaks/sandboxed app? they hate it, gnome? they hate it. Even rust is hated by many.
So Bazzite basically is an immutable 3rd-party SteamOS. It was originally designed for handhelds (though has desktop images now) and includes the Steam Deck’s
gamemodepackage. That means it has the same interface, but working on a Legion Go or an Ally X. If anyone here has* any of those three you should seriously check it out!The other thing as well is that more often than not, the update will succeed and you won’t figure out until the next boot that something is wrong. However, Bazzite has a rollback tool so you can just change back to the previous image, reboot again and get to gaming.
That’s the best reason for immutable for gaming IMO. I don’t want to be fucking around with the OS when I’m in the mood to game. Being able to quickly rollback and jump into things in ~10 minutes or less is how it should be.
Immutable, doesn’t mean extreme secure. It’s a false sense of security.
It could be more secure.
But during a runtime, it is possible to overwrite operational memory, mask some syscalls, etc.That’s my 3 cents.
it doesn’t allow changes to stuff that needs root access to change. If you have root access you can do anything, including switching images. It is not more secure. It’s not less either
Fully agreed. On almost any atomic distro, /home/user is writeable like usual, so any attacker is able to persist itself by editing
~/.bashrcand putting a binary somewhere.Secure can also mean more resilient. The infosec C-I-A triangle has three legs. Confidentiality, Integrity and Availability. Immutable distros are more resilient and thus offer better availability in the face of attacks or accidents.
I didn’t know that inflation can affect idiomatic expressions.
I don’t work in tech but I love to tinker , have a home lab etc. I love using Linux for this, been on Linux for close to 20 years.
Got a steam deck little over a year ago, it was my first immutable
I just moved to an immutable silver blue. Been loving it so far. There’s a few things I have issues with, but it’s “just works”. I still distro hop and fuck around breaking my system for fun from time to time, hahahah. But having my main system on immutable has been great.
The whole point of Linux is to tinker, immutable distros destroy the whole point, not to mention, it’s a very windows-approach
Not to mention there’s no guarantee if security even with Immutable distros
Not to tinker is a good thing for me at least. Some are Ok using LFS, Gentoo, etc. But distribution like Fedora Silverblue is low maintenance as i just want my task easy and an OS that just works.
To You, that’s the keyword here
The whole point of Linux is to be a FOSS kernel/OS, that’s it.
Anything you want to (legally and morally) do with it is fine and you should not have to conform to arbitrary limitations set by others.
If you think that Linux is only for tinkering, not only are you completely wrong (since most machines running Linux are meant to be stable and not tinkered with, think servers, iot, embedded devices, etc) you are also missing the point of FOSS, since it aims to give the user freedom to do as they see fit, which includes preferring stability and security over tinkering.
There’s Linux-Libre
The whole point of Linux is to tinker
Fair enough but the sole reason I went to Linux is because I despise Microsoft. I wanted a less bloated, not ad ridden, and more customized( mainly just the GUI) experience that gave me more control over my PC. Now I only use this PC for gaming and streaming, so really I just want those two things to work with as little fiddling as possible. Obviously everyone’s use case is different and immutable is definitely not a good choice for power users (from what I’ve read).
I don’t think the point of Linux is to tinker. That would kinda make it for tinkerers only. In my view, the point of Linux is that its a kernel only and you can use it to build an OS around and build one which is easy to tinker with or one which isn’t. Point is, not every system is suited for every task and the Linux kernel allows you to use it how you wish (via distros or you can make your own system around it). Why the gatekeeping?
It is, it’s your machine, it’s YOURS to tinker to your needs
Or yours to not tinker and just use distros default. Right?
Umm sure, mutable ones give you the freedom
How does immitable differ in this case?
Cuz it’s immutable
When I just want it to work for my needs (i.e. using just web browser for most people) there’s no difference. Except immutable is less prone to go wrong.
N I x o s
deleted by creator
Atomic and declarative. Which is way cooler.
Solves the issue tho
Well it’s a bit confusing. On Guix’ wiki General features you can read:
Guix keeps track of these references automatically so that installed packages can be garbage collected when no other package depends on them - at the cost of greater storage requirements, all upgrades in Guix are guaranteed to be both atomic and can be rolled back.
The roll-back feature of Guix is inherited from the design of Nix and is rarely found in other operating systems, since it requires an unorthodox approach to how the system should function (see MicroOS).
And then on its wiki Guix System (operating system) Roll-back you can read:
This is accomplished by a combination of Guix’s functional package manager, which treats each package and system configuration as an immutable and reproducible entity,[58] and the generation system which maintains a history of system configurations as “generations.”
So the system configurations on a Guix system are actually immutable, as opposed to regular gnu+linux distributions, which can change the system configuration on the fly. What else is immutable on Guix, I can’t tell, but at least you can not change its system configs. What is atomic is the upgrades.
I’m not sure, but as Guix borrowed these properties from Nix, I’d think this applies to Nix as well.
In other words, at least the Guix system has immutable components. And further, the system config which is immutable, is also declarative. Combining those two things might be intimidating, since it’s not like on the fly one can go and change the system config, which might be required when debugging some misbehavior, and it’s what most distros document, then one needs to learn about guile, and a bit about functional programming I guess or at least their basics… Deploying systems might take advantage of such declarative configurations though…
I remain interested in the immutables or atomic distros because I know a lot of smart people that swear by them.
I also don’t try them just yet because I know a lot of dumb people like me that end up breaking a lot of stuff before quitting them altogether.
They could be amazing and just not perfected yet or they may be a meme and no one’s proved it outright just yet. Will be lurking this thread either way lool :D
These distros are great for beginners or less technically savvy. They’re really just harder for people who have been using Linux forever and are very accustomed to the old ways.
Yeah I think atomic is more appropriate but I’m not exactly sure what the difference is?
Immutable = Read-Only Root FS && Updates entire system image rather than individual files
Atomic = Updates as single transaction (all or no update) && Containerization w/ Rollback capabilityThis is quick summary from quick research pls correct where technically wrong.
That makes sense, bazzite is referred to as atomic (that’s what I meant in the above comment about atomic being more appropriate, forgot to add that context though lol) specifically instead of immutable. Bazzite updates like you said and you can always roll back, thank you for the explanation!
If we’re asking what people mean when they use those descriptors, then you’re correct.
However, literally speaking, in this context, immutable only means read-only, and atomic only means that updates are applied all-at-once or not at all (no weird in-between state if your update crashes halfway through).
The rest of the features (rollbacks, containerization, and immutable meaning full system image updates) are typically implied, but not explicitly part of the definition.
I knew a real wizard would clarify sooner than later. Much obliged and keep up the good work anon!
what does the community think of it?
It’s important to note how the Linux community interacts with change. In the past, whenever a change has been significant enough to influence individual workflows, it often provoked strong reactions. This was evident when systemd was introduced and adopted by distros like Arch and Debian. Even though systemd was arguably superior in essential aspects for most users, it failed to meet the needs of at least a vocal minority. Consequently, community endeavors were set up to enable the use of Debian or Arch without systemd.
Similarly, the introduction of immutable distributions seems to upset some people, though (at least to me) it’s unjustified. Immutable distributions don’t necessarily alter the traditional model. For instance, the existence of Fedora Silverblue doesn’t impose changes on traditional Fedora; let alone Arch or Debian.
But, overall, most Linux users aren’t bothered by it. Though, they often don’t see a use for themselves. Personally, I attribute this at least in part to existing misconceptions and misinformation on the subject matter. Though, still, a minority[1] (at best ~10%) actually prefers and uses ‘immutable’ distros.
Do the downsides outweigh the benefits or vice versa?
Depends entirely on what you want out of your system. For me, they absolutely do. But it’s important to note that the most important thing they impose on the user is the paradigm shift that comes with going ‘immutable’. And this is actually what traditional Linux users are most bothered by. But if you’re unfamiliar with Linux conventions, then you probably won’t even notice.
As a side note, it’s perhaps important to note that the similarities between traditional distros are greater than the similarities between immutable distros. Also, Fedora Atomic is much more like traditional Fedora than it is similar to, say, openSUSE Aeon or Vanilla OS. Grouping them together as if they are a cohesive group with very similar attributes is misleading. Of course, they share a few traits, but overall, the differences are far more pronounced.
Therefore, it is a false dichotomy to simply label them as traditional distros versus immutable distros. Beyond these names, which we have assigned to them, these labels don’t actually adequately explain how these systems work, how they interact, how their immutability is achieved (if at all), what underlying technologies they use, or how they manage user interactions. The implications of the above. Etc.
Could this help Linux reach more mainstream audiences?
The success of the Steam Deck and its SteamOS are the most striking and clear proof of this. So, yes. Absolutely.
- Not accounting SteamOS users.
The root filesystem is being read from somewhere, and if it’s being read from, it can be written to. Having an extra step or two in the way doesn’t make it “extremely secure”.
if it’s being read from, it can be written to.
Why would being able to read imply being able to write?
Having an extra step or two in the way doesn’t make it “extremely secure”.
Well it can greatly improve security by preventing a compromised app to achieve persistence.
Unless “read-only” is being enforced by hardware (reading from optical media, etc), a compromised sudo user can circumvent anything, and write anywhere. A read-only flag or the root filesystem being mounted from somehwere else are just trivial extra steps in the way.
Improved security != extremely secure, is all I’m saying. There are a lot of things that go into making a system extremely secure, and while an immutable root filesystem may be one of them, it doesn’t do the job all on its own as advertised in this post.
I used an immutable fedora on my surface pro 4, I wanted to shoot myself in the face every time I had to install anything. I’m good on that for the rest of my natural life.
Was what you wanted not available in a flatpack/ app image?
Wasn’t about that at all. Any DNF action took a lightyear… man just typing out those long commands (very hard to remember coming from apt) nevermind the much crazier wait time. Using toolbox for dev environments to compile things was a total nightmare. I’m sure there’s a scenario where it’s ideal, that was certainly not my situation.
Gotcha I was just wondering what the limitations are, I’m still messing with and I’ve not hit one yet but I was curious where they pop up. So for devs immutable distros don’t play well, that definitely makes sense!
From what I gather, if you like tinkering and compiling and installing random weird apps then immutable can be a serious pain in the ass like I discovered.
Did you ever try using Distrobox? That’s the recommended way if installing random apps.
I’m not sure that would’ve influenced my situation with a dual core i5-6300U and 4gb ram, it’s a pretty sluggish thing from the get go. But good to know about distrobox maybe that can help me in the future. Now rocking Debian and it’s great.
Debian sounds like a great fit for you. But it’s good to know that Universal Blue has a lot of tools available for installing and tinkering that many just don’t know about. They are extremely powerful OSs.
I think it’s good if you have a ton of storage and want to set it and forget it. For me, immutable depresses me. I came to Linux for the tinkering and the ability to do what I please to my system, not to be restricted. That’s just me, though. For handhelds/strictly gaming machine (a Steam machine for example)? I think immutable is the perfect fit for it.
Do you have any examples of the kind of “tinkering” you couldn’t do with an immutable distro? I haven’t run into any restrictions after more than a year.
You can’t even install packages using sudo. You can, but they’ll be overridden on next update.
… why would you want to install packages with
sudo? The proper way is to install them (as a user, not root) usingrpm-ostree, which will layer the packages on top of the image, automatically installing them for every future system as well.You haven’t actually looked into immutable distributions, have you?
I admit that I didn’t know about how rpm-ostree is capable of what you mentioned, but I still don’t like immutables for the other reasons I’ve mentioned. I did look into them and I can’t use them. I like my regular distro
I keep hearing this, but people never elaborate on those “other reasons”. Did I miss where you mentioned them?
You mentioned storage, but AFAIK atomic Fedora doesn’t use more space (unless you keep multiple versions for rolling back).
I don’t want to deal with images. I don’t want to have to be cleaning the system from those images to reclaim my storage. I dislike flatpaks, snaps and appimage on which immutable distros rely. The lack of customization as you can’t modify system files or install traditional packages outside the immutable framework, which limits personal tweaks. Apps availability, not all apps on the planet exist in flatpaks. The learning curve. Having to change the way I interact with my computer completely, I’m too fucking lazy for that and way too cozy where I am. They’re just a burden that I don’t want to deal with and I hope that that’s ok with you. Lmao
Of course it’s ok! You do whatever you want. Though I’d like to clear up a couple of misconceptions:
I don’t want to deal with images. I don’t want to have to be cleaning the system from those images to reclaim my storage.
You don’t have to, happens automatically.
I dislike flatpaks, snaps and appimage on which immutable distros rely.
Fair, though you don’t have to use them at all - you could run everything in a distrobox.
The lack of customization as you can’t modify system files or install traditional packages outside the immutable framework, which limits personal tweaks.
This really depends on what system files you mean. Anything in
/etc/? Fully writable. Everything is configurable either in your home directory or in/etc/, so I haven’t run into any issues with not being able to modify something - and if you do run into that, you always have distrobox.Apps availability, not all apps on the planet exist in flatpaks.
Don’t need to, you have distrobox for that.
The learning curve.
That’s fair. It’s been very small for me, and the issues have helped me become a better Linux developer, but it does bring its own problems in some cases.
Having to change the way I interact with my computer completely, I’m too fucking lazy for that and way too cozy where I am.
That’s the thing, I hear this a lot, and I just don’t know what the big changes are. I installed Kinoite, set up a distrobox, and have been smooth sailing since - all my previous installations have had far more issues, and I just haven’t really changed much (besides switching from Ubuntu to Fedora, but I’m happy about that, fuck Canonical).
For my needs, I’ve build a static system with buildroot for a pi zero. No updates, no modifications on the system, no remote access. Some directories are in tempfs, and after a reboot the system is fresh again. when needed, I removed the sd card and copy a new image
I use this board for a pulseaudio/mpd player, it’s not intended for a desktop usage, but I’m happy beiing able to configure a system like this one. For me, there is no maintenance, and this is exactly what I wanted
It’s definitely great for the mainstream. Think of Linus Sebastian who has somehow broken every OS except for SteamOS.
It’s not great for me who uses Arch Linux btw with the expectation that if the system doesn’t break on its own, then I will break it myself.
Honestly, I would say it isn’t great for anyone who has to do something low level even once. Now that there are open source nvidia kernel drivers that has solved a pretty big issue for most people who would be interested in immutable distros, but there are still many other drivers and issues that your regular user may face.
One example off the top of my head is that flatpaks specifically can’t ship systemd services if I recall correctly. A lot of wayland apps for thigns like input have to use daemons because of wayland’s security model. Lact for AMD and now Nvidia GPU control, ydotool, or even gui versions of such tools for remapping input.
Snaps require custom kernel modules that aren’t used outside of ubuntu, so I hesitate to trust them regardless of any of the other issues people have with them.
This basically leaves appimages which aren’t available for everything and don’t always seem to work at least not as reliably as flatpak. I even tried to package the rstudio forensic software as an appimage myself, so I could have an easy way to use that proprietary piece of software, but I just couldn’t get it to work. I couldn’t get it to work with distrobox either using the official methods they provide to install it on linux. I did get it working in a chroot for some reason, but it had graphical issues. In the end, I made a PKGBUILD for arch and got it working that way.
The point of all this is that a lot of times people say immutable is great for average, non tech savvy people, but I believe that literally everybody ends up needing to do low level stuff at least once or twice every so often. Which simply isn’t a great experience since you end up having to do layering which throws these theoretical average users right back into the normal complexity of a mutable system, but with even more uncertainty in my opinion.
Now then with all of these caveats. I do still agree that immutable distros are great for the aforementioned group of people and I know this statement contradicts a lot of what I have described above. The reason why I think they are great for the less tech savvy people however isn’t because of any actual technical merit of the systems design though. Immutable distros are great for people like Linus Sebastion because it limits what they can do. You simply have to accept what is there the same way that you have to on proprietary systems like Mac and Windows. Those systems force you to do things a certain way unlike Linux and that is what people like Linus need because they have no business mucking around with the system to begin with.
Lastly, all of this only works because devices like the Steam Deck are being run on specific hardware thus guaranteeing there compatibility. This is what we ultimately need. There would be much less need for low level operations to get drivers or change settings to make wifi or audio work right on a billion different devices if these people were buying linux compatible hardware in the first place.
These are valid concerns but to me they sound more like lack of tooling rather than inherent disadvantages of immutable distros. Linux distros have not historically been designed from the ground up for immutability and it makes sense that there are issues that aren’t handled optimally. Surely we can come up with clean and simple solutions to basic problems like setting up daemons and drivers if we work on it!
Weird, I don’t have any issues developing custom systemd services or similar on my Kinoite installation. Packages that need to run on the host system can be layered, everything else is running in distrobox.
You can install packages in immutable distros. It’s just not as easy and recommended as a last resort.
With Universal Blue (Bazzite, Bluefin, Aurora) you can install packages with “layering”. It’s basically modifying the image by adding packages on top of what is shipped by the distro, and those packages get added each time the image is updated.
The better, more involved solution is to create your own image from the base image. That gives you a lot more control. You can even remove packages from the base image.
And anybody who thinks that Linus doesn’t look for those ways to break Linux is deluding themselves. He’s a fucking asshole.
He can be an asshole, but I believe finding bugs is part of his job.
Would you rather have him find them and complain to a community who might know what they could be, or someone else who will just complain and buy a MacBook instead?
Is there debian based immutable distro?
Yes, it’s called VanillaOS! https://vanillaos.org/
Isn’t it based on Ubuntu?
I think it was prior to version 2, but these days it’s based on Sid - https://vanillaos.org/nerd-info
Good. I just quickly glanced at the site and there were multiple mentions of Ubuntu… Glad they switched to Debian, this way I might try it on second PC.
Thank you)
