What is your opinion on immutable distros?

Me either. Not interested.

I’ve been wondering the same thing since first reading about it. It feels like more of a hassle when you’re the sole user/administrator and need to make a system wide change.

I asked a very similar question last year here, and while the question was about NixOS specifically, it went into a direction where the features of immutable distributions were put into focus.

My result was that because I have no use case for the replication of a setup I would not use the main feature, and other problems NixOS is solving I have already solved with my EOS setup, so it is probably not for me, not having enough advantages over my current setup.

Take a look.

I think most people simply don’t really get what an immutable system really is at least from a Fedora Silverblue centric viewpoint.

1. The system files are read only as the system itself is an OCI Container Image.
2. You update the system by switching out the image.
3. If it breaks, you rollback to the old image.
4. You can change the underlying image by either layering with something like rpm-ostree or simply building a new container with the added packages, and booting off of that.
5. Part of it that are mutable are /etc and parts of /var for instance in Fedora Silverblue. Your home and configurations reside in that space.
6. For all of these reasons you are updating atomically as a single unit. You simply switch the image you are using. If there are issues they are usually caught during the process of building the container image, and for those that are not you rollback to a last known good image.
7. For GUI applications you can either use flatpaks or run them in containers and export them to the desktop. This provides additional layers of isolation, or sandboxing. It also separates user added items into neatly separate units.

With all of this in mind, they provide greater stability, and security. I don’t see regular package management going away, but I do see it becoming more of an infrastructure item, than a personal computing item. Fedora SIlverblue has been my daily driver on laptops for about two years now, and while the experince at first was odd, I stuck with it. Now it is second nature and for edge devices, and most users, I think it is the way to go. I can easily accomplish anything I can on a regular distro, just differently, more securely, and with better compartmentalizationn. I do most of my work in a variety of container environments, never having to worry about messing up my dependencies because I had to have multiple versions of python for different thinks and screwed up with virtual environments. I avoid dependency conflicts with GUI applications because they are bringing what they need with them without adding them to the underlying OS. Sure there are hurdles to interoperability, like your browser not talking to keepassxc and having to copy/paste passwords instead of using a browser extension…but that is more secure anyway. The little cuts from theming issues, and some things not being able to talk to each other, have been decreasing over time, and get better with every iteration. Even RHEL 10 is rolling with official support for immutable systems in the server space.

They are not for everybody, but they are definitely here to stay.

I will give it a read eventually, very interesting. Thank you so much.

Yeah, everything you said is pretty much what I gathered from my read up. You just said it much much better than I did haha

It sounds like you got used to it AND you have a use for the conteinerization, which is why I tried to exclude that use case to compare it to “normal usage”.

The more secure part is whole other can of worms because security/privacy often comes with less convenience and sacrificing things. I already am upset that sometimes flatpaks have a black cursor, can’t imagine a less savvy user running into the situation of “idk this didn’t work”. Also I always think that general secure practices are more than enough for most people.

Back to the point, avoiding dependency conflicts sounds like a great thing, however that was kind of part of my question: If you use something stable like Debian, and use almost always the same programs (meaning you won’t be installing and uninstalling packages all the time), at that point any dependency conflict should be minimal, right?

ALL OF THEM obviously.

Just kidding, this is a good question and didn’t think (know) about it. I guess in this case my question would be, how does the main objective of an immutable distro change depending on the “technical construction”? Because it sounds like comparing Deb/Arch/Fedora to an independent distro and while yes they may be built differently and for different purposes, generally speaking the broader “Linux objective” is still achieved to a point.
My original question was aimed at the sense of the broader objective of “system files are not meddled with” and if that would pose any “simple” objective advantage over using something like Debian or Mint without much tinkering.

Yeah I did get used to it. The thing is I think everyone has a use for containerization. Want a quick throwaway browser spin one up and done. It’s a step back from the level of security and isolation provided by something like QubesOS, and it largely becomes seamless. In another couple of years all the end user tools will be in place to provide a GUI based experience. After that the average end user won’t even know what they are using under the hood.

I am sure that is what everyone who has ever undergone a ransomware attack thinks the day before they get owned . Gotta disagree I think a number of practices are absolutely worth it for the average person just doing average user things, and making it easier increases adoption.

This I agree with, but that general secure practices changes every day, and the linux community in general likes to drag it’s feet when dealing with it. The root of that feeling is based in security by obscurity, but that is changing. The highest value targets are on linux, and the user base is increasing to the point where…even Archlinux is getting targeted.

In theory…but it never really works out that way, I have a long relationship with Debian and related distros, most of it not very good. In practice rolling distros and fast release ones like Fedora (Fedora often has new packages before Archlinux does, so don’t let the idea that it is based on a release model fool you) have actually been more resilient and handled things better. One of the primary reasons I think you run into problems with a distro like Debian is that their packagers seem to take a perverse pride in splitting up something into as many packages as possible. Where in Redhat land you might have three types of a package (debug, source, main) and maybe an additional devel version, and in Archlinux it might be one or two…Debian will split that up for you into tiny slices, and while this is great for optimizing, or running on a tight system…I have seen it create nightmares out of nothing. It also does not help that those stable updates might mean long term bugs (not security related those get patched) because of the version that landed on Debian Stable.

Image based immutable distros are pretty much fatfinger proof, and for that I will take the ever so slight inconvenience. I will also take that extra bit of security in the place where I tend to use them; on the edge…where they are more exposed. So for an average user your laptop or any other mobile device.

Personally, I have no use for immutable systems because 1) I don’t want to bloat my disk with flatpacks, and 2) I want to control how and when I update my system. OTOH, from what I can tell immutable would be a godsend for system admins in a corporate/university/government environment since having a standardized system image would make their life much, much easier. Especially preventing idiots from breaking systems they decide to mess with.

it’s idiotproof, but it’s not for me, because I’m not an idiot.

I’m also somewhat dubious of how idiotproof it really is in the first place.

Build something idiot-proof and nature produces a better idiot. Always.

I 100% agree.

This was a great write up and very convincing summarizing the best features of immutable distros.

Now I ask you:

1. What have been the main cons of immutables in your experience (I’m trying to focus on daily usage things)? Like what would you say are the things that need to be “fixed” or “improved” for a regular user to be comfortable with.

2. Which immutable distro is the best in your opinion? (Again, the focus is daily normal usage, like you’ve mentioned before, say someone has a laptop and they carry that around to browse, write some docs and that’s it).

They are all Linux but so is every other distro.

Let me say it differently, the difference between Nixos and BlendOS is bigger than the difference between BlendOS and EndeavourOS. i.e. An immutable distro can be more different to another immutable distro than a non-immutable distro.

Sure, it provides the advantage that the system files can’t be easily changed. Is that a good thing though? It depends. Who is the user, what are their preferences and what is the use case?

Let’s take one of the most direct comparisons. Fedora Workstation and Fedora Silverblue. Silverblue is harder to break than Workstation but it also has a more complicated learning curve. Which is better for a non-technical user? It depends, if they only need a web browser than almost definitely Silverblue. For everyone else it is hard to say without more info.

Some immutable distros are both easier to break and harder to modify but they have other advantages.

IMO, something like GUIX would be a terrible choice for the non-technical user.

There are many different approaches to immutability. Ostree, A/B, declarative, snapshot-based, etc. All have different tradeoffs.

You really have to try the individual distros and see if any of them suit you.

Primarily theming. It is hard to get a consistent appearance across the desktop. However once you realize that installing the themes as flatpaks helps with consistency not much. Basically documentation could be better, but that is the case with many projects. Some of the cli tools could use GUI versions for those users, but outside of that they are ready now.

I am biased so asking me is probably going to get a biased answer…Fedora Silverblue. Seriously though any OCI image based distro is probably going to deliver the best experience and has the most industry backing. So Silverblue, Kinoite, Bazzite, any of the Ublue stuff, and MicroOS. All are good examples of immutable OCI based distros.

The advantage to OCI based distros is they will generally have the lowest cost of entry. NixOS is great but sometimes it feels like a configuration management tool masquerading as a distro. It also is very opinionated, and lacks certain features that I find as a must have (SElinux).

If all you are doing is browsing, email, and other normal office tasks any of the OCI based distros will have you doing that with ease, with zero problems.

Your grandma or a non-tech savvy friend or family member, as I said in the original post. Their needs, whether it’s Mac, Windows or Linux will always be “hey can you fix this?” or “How can I do this?”

So in general it would be daily usage in this hypothetical example where your grandmother access a browser, some news, maybe youtube or whatever. Netflix and that’s it. She’s not going into CLI to do anything or installing anything on her own (without any direction or instructions).

I understand different distros serve different purposes, but overall, despite the trade-offs I assume they all aim to be “harder to break”? - Not now considering what you’ve said. Technicalities aside, the question was basically “would you put your grandma on an immutable distro over a debian/mint?”.

I personally don’t have much time to be trying out distros (actually I don’t have a secondary device - if I ever can get a hold of a laptop I will for sure be trying out stuff) and clearly I don’t really understand all the ins-and-outs of a distro being immutable beyond the “basic concept”, so I guess for me there’s not a use case or any reason to move away from EOS.

In a million years, I would not give one of these users Nixos or GUIX, both immutable distros. That was sort of my point. Something being immutable doesn’t tell you anything about it’s ease of use.

Some of them aim to be harder to break, others aim to be more secure or both to some degree.

If grandma only needed a web-browser and was willing to learn new things, sure.

If my non-tech savvy friend liked to try different software because they also liked to edit photos or play games, probably not. The thing about most immutable distros is that they are easier to use…until they are not. Meaning as soon as you need to do something other than install a flatpak, they suddenly get harder to use.

Thinking about 186 Haskell updates twice yesterday, no, I wouldn’t want an immutable distro and all the extra workarounds to make it “pseudo-mutable” after…

Isn’t that what we chose, and what Arch is all about? Living at the technological forefront?

I mean, if I wanted “immutable”, I’d choose Debian or Mint… [I know they aren’t, but it feels like.]

I’m thankful for the many many devs out there striving to make their software better every day. Like John MacFarlane and his Pandoc.

Having a mutable OS not only makes it more vulnerable (everything is), but also allows for fixes and patches to arrive much faster. I always felt this making me more secure than staying with something older forever. A question of the use case, I guess.

Looking at the immutable distributions available I also would prefer Fedora Silverblue.

One question: does it support nvidia drivers or only nouveau?

It can but you will likely need to add rpm-fusion rpms and overlay, or you can go with https://https://bazzite.gg/ which is built on top of Fedora Silverblue and does all the gaming driver stuff for you. Probably a smoother experience if you are test driving.