So far we have Fedora Silverblue and openSUSE MicroOS in the major distros offering distros with immutable (read only) core systems. And to a lesser degree, Bottlerocket, Flatcar and Talos.
So are they the future of Linux from a security POV? Do we have much choice?
I haven’t looked too much into it, but what i’m wondering if they’re read only that means that all system settings you’ll rely on some brainlet who configured given distribution defaults without ability to change?
If it’s so - that limits my freedom, so not a fan even if it gives a bit more fool-proof security.
The two I have tested, Silverblue and MicroOS, use rpm-ostree for layering those changes you need and they sit on top of the image. I guess they are saying we as users can’t change the image, but each time we boot (which is very, very often) given that the layering only happens when you reboot. If there is an update to system it will update the image automatically.
It is interesting to note, it stores, the previous 3 images, which you can restore to from a boot menu, just like snapshots, except it uses systemd.
You have missed quite a few from your list including NixOS which is one of the largest.
The thing about immutable FS based distros, is that they are very different from each other. They don’t even all have the same goals.
Immutability on Linux isn’t new and it used for various reasons, it isn’t always about security.
I would categorize these into three very broad categories.
Distros where the primary use of the immutability is used to limit user change to make it easier to support and maintain. For example, many of the media player-centric distros do this(i.e. librelec)
Distros where there are huge trade-offs. You get a bunch of benefits but there are also a bunch of serious shortcomings making them not suitable for every purpose. This is where I would put NixOS and Silverblue for example.
Distros where neither the benefits not the downsides are that high making the value proposition somewhat minimal. For example, distros that use A/B root switching.
As with everything related to Linux, it is likely they are a future, not the future. Almost nothing is universally adopted, even when the pros far outweigh the cons.
All the implementations are so different that there is no universal way to answer that. It ranges from the user having a lot of control to the user having almost none.
well, you missed the most prominent (although developed further away from the origin) immutable Linux distribution:
Android.
It has a read only /system partition with the folders like a real Linux system where the OS is, and a writeable /data partition where all user-generated content like Apps and Settings are saved
Generally /etc is still writeable so you can change settings fine. Its when you need things like dkms that it gets complicated as at the moment it takes some work. Silverblue folks are working on that situation.
I would say dalto has covered most of what I’d say on the topic so I won’t repeat it lol
I will add that from a corporate perspective immutable Linux looks to be the future. The support and security benefits of it along with encrypted system, secure boot with uki, and implementing something like dm-verity are very attractive in that context. This will allow deployment of Linux products in interesting ways for corporate and consumer clients.