I was thinking about going immutable for a long time and now I’m choosing a distro to hop to.
My question is: what are good immutable distros other than Fedora Silverblue spins, UBlue family and NixOS?
Maybe someone uses/used any? What is/was your experience with it?

  • Laser@feddit.org
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    5 months ago

    Back when I was looking to switch distributions a year ago and it came to the choice between NixOS and Guix System, the latter unfortunately lost due to lack of features I considered essential for me. These were availability of proprietary packages (notably Steam, though I guess this could be rectified with a flatpak version or something), and no support for secure boot, which was the prime reason to switch in the first place, as I wanted to enable passwordless FDE unlock on boot for my machines (at least for the desktop, this should be secure because of fTPM).

    Secure Boot is a bit of a more involved process with Lanzaboote, it’s not just another “enable = true;”, but at least after initial setup it just keeps on working.

    I recently spun up another server for various uses, one being backups using restic. According to https://packages.guix.gnu.org/search/?query=restic, it’s at 0.9.6 in their repos. NixPKGs has 0.16.5. 0.9.6 turns 5 years old this year.

    The other services (yes, they are sketchy, but all GPL) aren’t even in Guix at all. Yes, that’s a network effect, but if switching the distribution forces me write half of it myself (exaggerating here) it’s not suited for my case. The Nix ecosystem has issues but at least it enables me to build the system I want. Guix unfortunately is just another GNU project that’s more focused on ideals than practical reality, which, given GNU’s nature, is completely understandable and justified. But probably also the main reason for why in the real world, Nix is dominant in its niche while Guix System is a footnote.

    • bsergay@discuss.online
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      Hi, I’m @sergay@discuss.online with another username.

      I agree with your post. While, Guix System looks the best on paper (after Fedora Atomic and NixOS), it truly requires a lot of expertise from its user. So, if OP is not interested in learning Guix System and/or the Guile Scheme language for the sake of running their OS, then they should look for something else. Because, as you’ve noted, they might have no choice but to contribute by packaging some of the software they need for themselves.

      Regarding Secure Boot, that’s definitely a problem. However, not all distros support it OOTB. I might have dismissed it earlier because I consider FDE to be more important than Secure Boot. But I’m aware that this is not on technical merits.

      IMO one should not dare to touch any ‘immutable’ distros besides Fedora Atomic and/or NixOS unless they know exactly what they’re getting into and why they prefer it over Fedora Atomic and/or NixOS.

      • Laser@feddit.org
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        Regarding Secure Boot, that’s definitely a problem. However, not all distros support it OOTB. I might have dismissed it earlier because I consider FDE to be more important than Secure Boot. But I’m aware that this is not on technical merits.

        I’d consider FDE more important as well (apart from some fringe use cases). But it doesn’t cover all possible attacks, as unlikely as some of them are. However, together they create a solution that is both convenient and sufficiently secure, as long as you can’t just intercept the keys on the hardware.

        FDE protects the confidentiality of your data in offline attacks, Secure Boot protects integrity and authenticity of binaries started by UEFI. These complement, they don’t compete.

        • bsergay@discuss.online
          link
          fedilink
          arrow-up
          1
          ·
          5 months ago

          After rereading my text, I came to the conclusion that I might have given of the impression that FDE and Secure Boot indeed compete with eachother. Which, as you’ve excellently noted, is not the case. Thank you for ensuring that others don’t misunderstand this!