cross-posted from: https://infosec.pub/post/15781466
Am I out of touch?
No, it’s the forward-thinking generation of software engineers that want elegant, reliable, declarative systems that are wrong.
cross-posted from: https://infosec.pub/post/15781466
Am I out of touch?
No, it’s the forward-thinking generation of software engineers that want elegant, reliable, declarative systems that are wrong.
Immutable was adopted for Android because Google and the Android vendors wanted to lock down the platform, and because they always distribute their OS images and updates as binary blobs.
It offers no benefits to an open ecosystem like Linux, that you can’t already accomplish with existing security measures.
It offers some benefits to distro maintainers who are only willing/able to focus on the core system and delegate the rest of the software to distro-agnostic packages. That’s definitely an interesting niche and I look forward to it. But please note that whether the core is immutable is completely irrelevant in this scenario.
Generally speaking, if you want to use distro-agnostic packages you can do that regardless of whether the system is immutable or not.
And since we’re on the topic, if we’re borrowing things from Android I would love to have the application sandboxing and permissions. I think they’d be a much bigger benefit – to all distros, immutable or not.
Immutable partitions are amazing for reliability, then you can just OverlayFS your mutable state on top of it
The problem with making the core immutable is that you have to decide where you draw the line between immutable and regular packages.
It sounds nice to be able to always have an immutable blob with some built-in functionality that you can fall back to, but the question is how far do you want to take that blob?
Things that go into the immutable blob don’t offer much (if any) choice to the user. I can see it being used for something like the kernel and basic drivers, coreutils, basic networking. It starts getting blurry when you get to things like systemd and over-reaching when it gets to desktop functionality.
Also, you say it’s more reliable but you can get bugs in anything. Version x.y.z of the kernel can have bugs whether it’s distributed as part of an immutable core or as a package.
I definitely think distributing software as immutable bulk layers can be useful for certain device classes such as embedded, mobile, gaming etc. The Steam Deck for example and other devices where the vendor can predefine the partition table and just image it with a single binary blob.
On the desktop however I struggle to see what problems immutable solves that are not already solved some other way. Desktop machines require some degree of flexibility.
The whole point is you can roll back if something breaks.
Systemd is a core part of the system as init always has been.
Honestly though I don’t think you actually understand the difference between declarative and immutable distros. Unlike what some people think they aren’t actually the same thing. It would be nice if people stopped limping them together.
Most packages are purely additive to to system. If GNOME is part of the base system, I don’t care because I can just not use it. For packages that are mutually exclusive, well, usually that’s the distro picking it for you anyway, but if you insist on changing them then OverlayFS lets you mask files in the base.
For something like Arch or Gentoo, the read-only partition approach absolutely won’t work, but I know Fedora’s been working on an OSTree immutable approach, so it’s still technically a mutable partition but it’s defined declaratively and is still easy to roll back.
Flatpaks and Wayland should fill out this part nicely.
This often means unofficial builds that aren’t from the developer that sometimes have sandbox specific issues the devs didn’t contemplate because they don’t actually do flatpaks. If someday the random bob who is neither the original developer nor some trusted individual connected to the distro is hacked they may push out a malware enabled update that pwns all the people who automatically update in short order. This doesn’t seem like a security increasing feature.
Yes you’re right. Unofficial Flatpaks aren’t ideal and pose a security risk. Just like many convenience workarounds for apps that aren’t officially packaged, such as COPR, PPAs, AUR and the always great
curl https://github.com/dev/repo/main/install.sh | bash. Not having a convenient way to install or update is a security risk too of course. You’ll probably end up with outdated software.But both Flatpaks and the Wayland desktop have a focus on sandboxing as a security measure, and when implemented properly (official verified flatpak / app that uses the Wayland API), they can both increase security. In practice, yes, the weakest link is the problem of course. Hopefully soon, the vast majority of Linux apps will run either native Wayland or as flatpaks and that will significantly decrease the attack surface for the Linux desktop.
I don’t think anyone uses immutable distros for security, the main selling point I believe is that you can rollback when the system breaks due to a update, especially when it’s a rolling release
I can do that with Timeshift on any distro