Hi there folks, I’m still learning about Linux and have yet to dip my toes properly in any arch based distro. Have for the moment fallen in love with the immutable distros based on Universal Blue project. However I do want to learn about what arch has to offer to and plan on installing default arch when I have time. But have been wondering why I haven’t heard of any immutable distros from arch based distros yet.

So, am left wondering if there are talks within that Arch community of building immutable distros?


While writing this post I found a project called Arkane Linux, which seem to be very interesting. Does anyone have nay experience with it? Is there a specific reason why immutable wouldn’t be a good idea when based on Arch?

Project: https://arkanelinux.org/

    • yala@discuss.online
      link
      fedilink
      arrow-up
      16
      arrow-down
      2
      ·
      edit-2
      6 months ago

      For me:

      • atomic updates
      • reproducibility
      • (to some degree) declarative system configuration
      • increased security
      • built-in rollback functionality

      and their consequences;

      • rock solid system even with relatively up to date packages
      • possibility to enable automatic updates in background without fearing breakage
      • (quasi) factory reset feature
      • setting up a new system in just a fraction of the time required otherwise

      are the primary reasons why I absolutely adore atomic/immutable distros.

      Furthermore, it minimizes all kinds of issues related to or caused by bit rot, configuration drift and hidden/unknown states. (Note that you won’t reap all of these benefits on all atomic/immutable distros.)

      • ddh@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        1
        ·
        edit-2
        6 months ago

        Yep, also ability to rebase to some other image. Maybe that’s what you meant by setting up a new system.

        • yala@discuss.online
          link
          fedilink
          arrow-up
          4
          arrow-down
          2
          ·
          edit-2
          6 months ago

          Rebasing is (strictly speaking) found exclusively on Fedora Atomic (though I wouldn’t be surprised if Vanilla OS has also started supporting this like Fedora Atomic does). While achieving something similar on NixOS or GuixSD isn’t necessarily hard, the term “rebase” is not used for either of these systems.

          Setting up a new system with little to no nuisance is a direct consequence of managing your system declaratively. So no, I didn’t mean rebasing. Though, in your defense, Fedora Atomic does achieve it through rebasing. But, even then, it’s only one part of the puzzle.

          • biribiri11@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            6 months ago

            ostree is based on OCI images, the basis for containers and the like. “Rebasing” just refers to swapping out the OCI image containing your root with another.

      • dsemy@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        6 months ago

        (Note that you won’t reap all of these benefits on all atomic/immutable distros.)

        That’s because most of these benefits are not a result of a distro being immutable.

        • yala@discuss.online
          link
          fedilink
          arrow-up
          1
          arrow-down
          1
          ·
          6 months ago

          You should define what “being immutable” means (according to you).

          Besides, the questioner asked what the benefits of an immutable distro are. The only three mature immutable distros possess all of these qualities. And even if some of these qualities may be found on other distros that are not qualified as immutable. Fact of the matter is that the immutable variants of these features are far and wide superior over their counterparts found on traditional distros.

          • dsemy@lemm.ee
            link
            fedilink
            English
            arrow-up
            1
            ·
            6 months ago

            I guess I’d define it as a distro where the base system is read-only and changes or updates to it are done by replacing it atomically.

            Fact of the matter is that the immutable variants of these features are far and wide superior over their counterparts found on traditional distros.

            How exactly? Just saying it doesn’t make it true. Except for atomic updates (which are basically the main point of these distros, and why they’re also called “atomic”), what can they do that you can’t on a normal distro?

            • yala@discuss.online
              link
              fedilink
              arrow-up
              1
              arrow-down
              1
              ·
              edit-2
              6 months ago

              Thank you for your reply!

              I guess I’d define it as a distro where the base system is read-only and changes or updates to it are done by replacing it atomically.

              Aight. I got no qualms with that definition for an immutable distro. However, small nitpick, the term “base system” can be very murky at times. And perhaps I would rephrase the part addressing changes/updates to “changes or updates to it are intended to be applied atomically”.


              Btw, I think this conversation is primarily on semantics and some assumptions we’re making related to that. So, I agree with you that (strictly speaking) immutability is only part of the puzzle (perhaps I might even refer to it as an enabler) for acquiring a lot of the aforementioned benefits to the degree by which it’s attained. So, the precise implementation of immutability is at least as important.

              For example, openSUSE Aeon/Kalpa, as much as I like them, have not been able to deliver most of these benefits beyond what traditional distros are capable of. Despite these distros being immutable*. However, they’ve recognized their faults and intend to move towards an image-based solution in order to improve. Similarly, Vanilla OS has recognized that their first vision of ABRoot wasn’t fit and thus overhauled it to be more in line with Fedora Atomic. We should continue to regard their initial visions as immutable distros despite ‘their failings’, but should also recognize that their failures aren’t representative of what immutable distros are or can be.


              How exactly?

              what can they do that you can’t on a normal distro?

              Alright, let’s start:

              (Note that the immutable distros will only be represented by Fedora Atomic, GuixSD and NixOS. The others are either too niche or immature)

              • atomic updates; no need to explain as you’ve established this yourself.
              • reproducibility; I’m not talking here simply about “reproducible builds”. Instead, I’m referring to how, on a daily basis, the system is actually built up from the ground (or at least capable of doing so without the hassle of actually committing to a complete reinstall). Some references in case you’re interested to know more about this. This is something I’ve simply never seen on a traditional distro. Though I hope you can correct me on this.
              • declarative system configuration; atomicity is just a pre-cursor or enabler for this. Nonetheless, ultimately, it’s a feature found exclusively on immutable distros. In case you mention Ansible, you should be aware that Ansible (at best) offers convergent system management. The aforementioned immutables succeeds effortlessly in (the superior) congruent system management. Refer to this article in case you’re interested in the differences.
              • increased security; Linux’ security standards leaves a lot to be desired. Unfortunately, whatever immutability offers in that regard, is far from enough to bridge the gap. By contrast, Qubes OS, while not being immutable (and technically not even a Linux distro), succeeds at setting an excellent security standard. But even they acknowledge the benefits that immutability provides for security (even on Qubes OS).
              • built-in rollback functionality; I can’t remember how GuixSD and NixOS far surpass anything else out there in this regard. However, for Fedora Atomic’s OCI model, it’s required that some registry builds your images. Currently, these images are stored for 90 days by default. Which means that I can go back to any one of these without keeping the snapshots on my own device. While it’s technically possible to keep snapshots from the last 90 days with Snapper/Timeshift, most sane people would simply not do it as it’s overkill and/or wasteful of storage. However, Fedora Atomic allows such functionality without burdening your system. Hence, it’s superior. Though, once again, perhaps this functionality is somehow available on traditional distros. But I’m simply unaware of it*.

              There’s no need to go over the “consequences” as they’re (as the name implies) consequences of what has mentioned earlier. Hence, as their causes are better than the one found on traditional distros, so are the consequences better than how they’re found on traditional distros.

              Finally, minimizing bit rot, configuration drift and hidden/unknown states are direct consequences of atomicity and declarative system management. Hence, immutable distros perform better at this compared to traditional distros.

              • dsemy@lemm.ee
                link
                fedilink
                English
                arrow-up
                1
                ·
                6 months ago

                (Note that the immutable distros will only be represented by Fedora, GuixSD and NixOS. The others are either too niche or immature)

                This was my issue with your original comment - I’m aware most of the work on features like these is based on immutable distros, but just being immutable doesn’t mean it will have those features.

                When it comes to reproducibility and declarative system management, I think you’re right that they’re only available in immutable distros.

                The security benefit of a read-only filesystem isn’t very significant IMO, and for some immutable distros, interesting parts (to attackers, like /etc for example) are mutable anyway.

                And I don’t use any snapshot solution currently, but don’t most of them only store the parts that change between snapshots? According to the Arch Wiki, Snapper’s “default settings will keep 10 hourly, 10 daily, 10 monthly and 10 yearly snapshots”. This doesn’t seem like much of an advantage for immutable distros, really.

                There’s no need to go over the “consequences” as they’re (as the name implies) consequences of what has mentioned earlier. Hence, as their causes are better than the one found on traditional distros, so are the consequences better than how they’re found on traditional distros.

                I disagree with this though. “Better” is very subjective - I for one consider being able to have an up to date system that can have parts of it updated without rebooting to be much nicer than using something like rpm-ostree, even if it is safer to use in theory (I can’t remember the last time I had an issue when installing a package; rebooting to apply an install atomically will likely make no difference to me other than wasting my time). I know I can use containers to get around this, but once again, this just adds to the hassle.

                • yala@discuss.online
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  6 months ago

                  Thanks for the quick reply!

                  This was my issue with your original comment - I’m aware most of the work on features like these is based on immutable distros, but just being immutable doesn’t mean it will have those features.

                  As alluded by the following in my previous comment:

                  Btw, I think this conversation is primarily on semantics and some assumptions we’re making related to that. So, I agree with you that (strictly speaking) immutability is only part of the puzzle (perhaps I might even refer to it as an enabler) for acquiring a lot of the aforementioned benefits to the degree by which it’s attained. So, the precise implementation of immutability is at least as important.

                  So, to conclude this point; yes, an immutable distro is not required to come with all those features by strict virtue of its immutability.


                  Arguably, our talk might have resolved a lot earlier if in your original comment;

                  That’s because most of these benefits are not a result of a distro being immutable.

                  , you had replaced “immutable” by “atomic”. To be clear, the “immutable” in “immutable distro” is not the correct adjective if we want to be descriptive. That’s probably why you chose to give the (current) definition of “immutable distro” rather than “being immutable” when prompted. Hence, the name “immutable distro” is continuously being redefined and rehashed based on the distros that are represented by them. The popular definition for “immutable distro” right after SteamOS 3.0 was released, was very different from the definition you gave it earlier. Which was again very different when we had only NixOS and Guix System as our points of references. Just like how I mentioned to not have any qualms with your earlier definition, I likely wouldn’t have any qualms with earlier shifts of the definition. Therefore, I’d argue, the notion of "immutable distro" is perhaps best defined by the distros that it represents. And currently, within the discourse, Fedora Atomic is its flag bearer. Hence, why a lot of other comments found under this post make assumptions based on that as their point of reference. But, I see Fedora Atomic merely as an iteration of NixOS but image-based (Colin Walters has even reported to be inspired by NixOS). And, the other (notable) immutable distros are heading that way. (And some, like blendOS, might already have come very close to that vision already.)


                  The security benefit of a read-only filesystem isn’t very significant IMO, and for some immutable distros, interesting parts (to attackers, like /etc for example) are mutable anyway.

                  It may not be very significant, but it is significant enough that even Qubes OS (with their excellent model) aspires to it. Btw, I never implied or said that security became perfect (quite the opposite actually) just by virtue of becoming immutable. Instead, I only said it improved*. Finally, I suppose it’s worth mentioning that e.g. Fedora Atomic does track the changes to /etc, keeps a pristine copy of /etc and allows you to flush /etc.

                  And I don’t use any snapshot solution currently, but don’t most of them only store the parts that change between snapshots? According to the Arch Wiki, Snapper’s “default settings will keep 10 hourly, 10 daily, 10 monthly and 10 yearly snapshots”. This doesn’t seem like much of an advantage for immutable distros, really.

                  No space occupied on your machine is better than some space occupied on your machine. I only said it’s better, its significance is definitely up to debate though.

                  There’s no need to go over the “consequences” as they’re (as the name implies) consequences of what has mentioned earlier. Hence, as their causes are better than the one found on traditional distros, so are the consequences better than how they’re found on traditional distros.

                  I disagree with this though. “Better” is very subjective

                  To be clear, I didn’t intend to imply that literally all consequences are better. With “consequences”, I actually implied the points that were mentioned in the comment you first replied to; rock solid system even with relatively up to date packages, possibility to enable automatic updates in background without fearing breakage, (quasi) factory reset feature, setting up a new system in just a fraction of the time required otherwise.

                  I for one consider being able to have an up to date system that can have parts of it updated without rebooting to be much nicer than using something like rpm-ostree, even if it is safer to use in theory

                  Let’s not disregard NixOS and Guix System 😅. Furthermore, I understand the frustration. Thankfully, even in Fedora Atomic, there’s a plethora of alternative package managers you can use to suit your needs; AppImage, Flatpak, Guix, Homebrew, Nix etc. Besides, I don’t think you install new software every single day. FWIW, systemd does offer the soft-reboot functionality; though, the biggest problem for me personally is restarting all the programs that were open. So yeah… Though, this might be an issue of the past with the upcoming systemd-sysext.

                  (I can’t remember the last time I had an issue when installing a package; rebooting to apply an install atomically will likely make no difference to me other than wasting my time). I know I can use containers to get around this, but once again, this just adds to the hassle.

                  This criticism is absolutely fair. I know you felt compelled to said this only due to a misinterpretation of what I meant with “consequences”. Nevertheless, I am totally with you that the ‘Fedora Atomic’-model is not perfect. And, perhaps, never will be. For all we know, it will coexist with traditional distributions perpetually.

      • Samueru@lemmy.ml
        link
        fedilink
        arrow-up
        1
        ·
        6 months ago

        You get all of this by using Btrfs in a regular distro.

        Recently kdeconnect broke on me, I just rolled back the snapshot to the day before.

        • yala@discuss.online
          link
          fedilink
          arrow-up
          5
          ·
          edit-2
          6 months ago

          You get all of this by using Btrfs in a regular distro.

          No you don’t. Refer to this reply I’ve written to someone else.

          Btw, Btrfs is only a file system, snapshot-functionality isn’t automatically implied with it. See traditional Fedora as a reference; i.e. defaults to Btrfs, but doesn’t set up Snapper/Timeshift or anything to that effect.

          But, even then, snapshot-functionality provides only of a small subset of the benefits in an inferior way (as I’ve explained in the reply to the other person).

          • Samueru@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            edit-2
            6 months ago

            What do you mean by declarative system configuration? that thing that nixos does that you set it up thru its config file?

            I’ve also kept several month old btrfs snapshots on my system and I don’t see a problem with it, they only add like 3 GIB of storage each when they are that old.

            Also I’m not sure what you meant by increased security? Is it more secure simply because you can’t edit the root filesystem?

            • yala@discuss.online
              link
              fedilink
              arrow-up
              1
              ·
              edit-2
              5 months ago

              Thank you for the reply!

              What do you mean by declarative system configuration? that thing that nixos does that you set it up thru its config file?

              What you refer to in NixOS is indeed its solution to offer declarative system configuration. But the other two mature immutable distros, i.e. Fedora Atomic and Guix System, have their own solutions. Though, Guix System’s solution is a lot more reminiscent of NixOS’. While Fedora Atomic leans on ‘the ways’ established for OCI (and hence containerfile(s) etc). Even less mature immutable distros, i.e. blendOS and Vanilla OS, have put considerable effort into the works for managing their systems declaratively.

              I’ve also kept several month old btrfs snapshots on my system and I don’t see a problem with it, they only add like 3 GIB of storage each when they are that old.

              My argument here is mostly just “No occupied storage on device is better than some occupied storage on device.”. But yeah, its significance is definitely up-to-debate. Perhaps I should have relied more on the built-in aspect; from the mainstream independent and/or highly popular traditional distros only (Garuda,) Linux Mint(, Manjaro, Nobara) and openSUSE Tumbleweed come with built-in rollback/snapshot functionality. But, regardless, the rollback/snapshot part of the equation is definitely the least special (if at all).

              Also I’m not sure what you meant by increased security? Is it more secure simply because you can’t edit the root filesystem?

              It’s indeed related to how some parts of the system are read-only during runtime (under normal circumstances). Hence, some types of attacks are circumvented from the get-go. This, by itself, doesn’t warrant the use of an immutable distro over a traditional one; even if the user is security conscious. However, if said user already intends to use a distro that takes security seriously (i.e. Fedora or openSUSE) for the sake of security (or at least it plays some role in their decision-making), then they might as well prefer their atomic counterparts. But yeah, for actual security, one should probs rely on Qubes OS instead. Though, atomic distros have given us the likes of secureblue; which may be the most secure Linux system for general-use we got (besides Qubes OS, if we even count that as Linux). The only other contender is Kicksecure.

    • gomp@lemmy.ml
      link
      fedilink
      arrow-up
      10
      arrow-down
      1
      ·
      edit-2
      6 months ago

      Honestly, IMO the end-user benefit is mostly that it sounds cool.

      All the benefits I’ve heard (including the ones in this discussion) don’t actually derive from “immutability” but from releases that stay the same for longer (which is what “more stable” used to mean), or the ability to roll back your system to some “known” working state (which you can do with snapshots and in a plethora of other ways).

      What immutability means is that users are unable to alter their system, or at least not expected to… basically, it means what in corporate lingo would sound “altering your system is not supported” and that the distro actively makes it hard for you to do so.

      This means users will not break their system because they followed badly some instructions they found on some badly written forum post anymore and blame the distro for it, but it also means that users who actually have a reason to alter their system and know what they are doing will have a hard time doing it (or be unable to), which is precisely why I left macos and went back to linux for my work computer some ten years ago (I spent half a day doing something I could have be done with in five minutes and said to myself “never again”).

      For the team/company that builds it, an immutable distro will likely be easier to test and maintain than a “regular” one, which should then indirectly benefit the users (well… as long as the team/company interests are aligned with the users’ of course: shall windows get easier for microsoft to maintain, how much benefit would trickle down to its end users?).

      Users who switch to an immutable distro should see a decrease in bugs short-term. In the longer run, I’d expect distros (especially the “commercial” ones) to reduce the effort they spend in QA until quality drops again to whatever level is deemed appropriate (if bread costs less I’m still not gonna buy more bread than I need… same goes for quality).

      Basically, it all boils down to “immutable distros cost less to maintain” (which, don’t get me wrong, is a net positive).

      I must say I find it slightly concerning to have heard several “veteran” linux users say that immutable distros are so great that they will install one on their parent/child/SO/friend’s PC but on their own.

      It’s also a bit unnerving to notice that most of the push for immutability seems to come from companies (the likes of debian/arch/gentoo/etc. are not pushing for immutability AFAIK, and they certainly don’t have the initiative in this field).

      I’m not sure how much immutable distros will benefit the community at large, and… I’m not even sure they will end up being very successful (windows/macos follow in whatever makes is more profitable for microsoft/apple, linux users have choice).

      I hope that immutable distros will prove both successful and good for the user community at large.

      edit: Forgot to explain the positives I hope for: since immutable distros should require less effort, I hope this will lead to more/better “niche” distros from small teams, and to distros with bigger teams doing more cool stuff with the extra manpower

    • Random Dent@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      6 months ago

      I could see it being useful for like an office or something, where you do a big roll-out to a bunch of people. I’d assume having the system files be read-only and (presumably) the same on every system would eliminate a lot of guesswork for IT troubleshooting.

    • Sunny' 🌻@slrpnk.netOP
      link
      fedilink
      arrow-up
      3
      arrow-down
      2
      ·
      6 months ago

      Essentially: read-only system files.

      In immutable distros, you or any other programs that are installed on the system cannot modify the system files. That includes the system configuration files as well as applications. Its goal is to solve the problem of an entity gaining admin privlieges to your system and cause loads of damage. There are some addtional benefits too:

      • Updates apply at reboot
      • Root partition is read-only
      • Considered very secure
      • Sandboxed applications via flatpaks, snaps and appimages.
      • JackGreenEarth@lemm.ee
        link
        fedilink
        English
        arrow-up
        6
        ·
        6 months ago

        But then you also can’t make any changes to the system files. I thought the point of Linux was having more control

        • ddh@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          8
          arrow-down
          1
          ·
          6 months ago

          The entity gaining access to system files and doing damage, it’s me.

        • biribiri11@lemmy.ml
          link
          fedilink
          arrow-up
          6
          ·
          6 months ago

          Config files are still editable. Most of them (rpm-ostree, for example) have a mechanism for managing packages, and subsequently rolling back if anything goes wrong or completely resetting, and leave /usr/local writable. For stuff like development and working with compiler toolchains, you should be using a container. I use vscode exported in a distrobox running Fedora 40, for example.

        • Sunny' 🌻@slrpnk.netOP
          link
          fedilink
          arrow-up
          2
          arrow-down
          1
          ·
          6 months ago

          It all boils down to user preferences right. Some users prefer the maxium amount of control, while others, including myself, only use the pc for gaming and browsing, so I’d rather have a system that cannot be broken by myself and not deal with updates etc…