I feel like inmutable distros are in a quite good state nowadays, and while solutions like bootc and sysexts are not “mainstream” yet, it’s getting there
when it comes to getting non Flatpak packages, things get interesting, there are a lot of options, really
AppImages, statically linked binaries, tarballs, OCI containers, distrobox/toolbx, Homebrew, VMs, Nix even experimental formats like RunImages, AppBundles and FlatImages
if you need some non-system level package, you’ll have a way to use it yet, still it seems sort of chaotic “which one should I choose? how will I be able to easily manage them?”
GPM, dbin, Soar, AM… and the list goes on
and it’s okay, the so called cloud native approach is still evolving, so this fragmentation is expected so it’s nice to share opinions about this while we’re living this interesting phase any thoughts?
Unsure whether it fits with the rest, but I’d argue it is an innovative and very compelling ‘standard’ that is competing with everything else mentioned in this thread.
So, the basic idea is as follows: if it is so difficult to deal with the loss of the main package manager found on the mutable/traditional variant, why don’t we pursuit ways to not lose it in the first place and thus try to make it coexist (somehow) with the atomic model. Enter RakuOS’s hybrid design in which everything installed through
dnfis overlayed persistently over thebootc-managed base system.All of the methods have big issues but I would still prefer them over messing with a mutable system
- snap is likely the most secure by avoiding user namespaces, using AppArmor only and thus being very flexible (also for use for kernels, drivers, browsers …) but it is proprietary, nobody likes it and Canonical doesnt wanna stop somehow.
- flatpak has the biggest amount of officially maintained packages, but packaging is often really bad, runtime extensions arent really a thing, instead people just put ffmpeg binaries in their packaged and think that is fine. Flatpak does consume quite some disk space and more importantly RAM for the duplicated things
- nix doesnt have any of these, but sandboxing is hard, there is either stable or unstable, changing and configuring things is very complex. Likely no official packages. Still the method I prefer.
- homebrew idk? Never tried, mac focused and with more and more linux features like sandboxing. No idea
- distrobox/toolbox is pretty hacky, relies on entire distros running in parallel with no shared anything (currently, afaik bootc deduplication is kind of planned but kind of difficult too). Updates dont really work so either you go declarative with podman compose or distrobox-assemble, or you use rolling distros. Also they share your homedir by default so they will clutter and mess up your dotfiles which is a problem nobody deals with. Dotfile backup tools exist but are kinda complex. Distrobox has a config but the creator doesnt seem to want to make it the default, neither do downstreams.
- Appimages just suck, back to the windows way but without developer signature verification (like Windows) or secure updates (like .apk files on Android)
Also Nix, Flatpak and a few more fully depend on Github. Same with uBlue, Secureblue and a ton of other projects. Really scary actually.
Looks to me like immutable only attracts the kind of developers/hackers who like to solve things by slapping another runtime on it.
Immutable in the actual sense yes, it is basically a product and every other software is installed aside from it.
But you can also have better managed systems like nix or ostree, that reduce entropy or at least make it fully declarative so theoretically finding and reproducing issues is easy
my thoughts
- lol i just completely forgot about snaps
- Nix can’t be installed in the standard way on inmutable distros :(
- Homebrew is actually good, it’s exactly like your usual package manager and works with /home as a symlink, however it can take up a lot of storage since it pulls it’s own dependencies and that GCC thing is another one
- distrobox/toolbx have their usecases, but until things get better it can be used as a last resort
- and good old AppImages, I think they’re good for slow moving projects and games, but a large amount of them are not really portable, which defeats the purpose of AppImagws in the first place
Can always just layer it with rpm-ostree install (.rpm file)
Never used homebrew, that doesnt sound good.
I am trying to use nix and firejail only, but it is pretty rough and barely documented which is kinda insane as firejail is THE tool. Unlike crabjail, bubblejail and what else is out there
I am trying to use nix and firejail only, but it is pretty rough and barely documented which is kinda insane as firejail is THE tool. Unlike crabjail, bubblejail and what else is out there
I was investigating sandboxing with Nix. Here is a dump of my saved notes:
General Nix Based
https://todo.sr.ht/~alexdavid/jail.nix
LLM Specific Nix based
Projects to sandbox AI agents:
https://github.com/archie-judd/agent-sandbox.nix
https://github.com/myme/jaillm/blob/main/flake.nix
https://github.com/gfauredev/nix-agents-jail
https://github.com/azuwis/fence-agent.nix
github.com/kohane27/jailed-ai-agents/blob/main/llm.sh
Someone told me that if you take these things and then replace the entrypoint with bash, you get a sandboxed shell environment
distrobox/toolbox
Distrobox excels for when you need some proprietary tool that ships it’s packages as a repo for Ubuntu but not much else. You spin up a distrobox for Cisco Packet Tracer, or VSCode (the proprietary microsoft one, not Arch’s Code-OSS and Unity.
Then, once you’re done, you can just delete it all.
this, even a tarball would have been better than a Ubuntu-only .deb
If the tarball was dynamically linked against specific distro’s libraries though, then it wouldn’t work on all distros.
They also often provide RPM packages for Red Hat systems. Not always though, and I use Arch (btw) anyways.
really? by the time I needed it, there were only .deb available, and they did not listed all their dependencies on Debian, only on Ubuntu, I had to look for their dependencies and install them manually, what a mess I made
Not everybody does. It’s just sometimes.
nix doesnt have any of these, but sandboxing is hard, there is either stable or unstable, changing and configuring things is very complex. Likely no official packages. Still the method I prefer.
Nix is what I use, and it was frustrating to have to hack a lot of it into place, but I feel like it has the most potential. Unfortunately the flakes nonflakes split, in combination with the split of “distros” like determinate nix, flox, and so on, and the governance concerns really hold it back. It has horrific documentation, for the most part caused by the above (flakes are “experimental” and so can’t be included in official docs), and it is frustrating the lengths I have to go to to make stuff work that should be easy.
For example, GPU acceleration of Nix packaged apps on non Nixos systems. I figured out how to do it:
(config.lib.nixGL.wrappers.mesa pkgs.gzdoom)
But I think it’s just straight up impossible to do this via imperative package installs, outside of home manager. And it’s kind off important if you want any GUI app whatsoever to work.
But now that I have it working, I use Nixpkgs exclusively and am able to avoid the AUR entirely. To me, the AUR is a last resort, only for something like say, system level printer drivers (thankfully I’ve never needed to install anything to get printers to work). By ensuring that I only use the AUR once in a blue moon, I can make sure that I actually review the PKGBUILD when using it.
snap is likely the most secure by avoiding user namespaces, using AppArmor only and thus being very flexible (also for use for kernels, drivers, browsers …) but it is proprietary, nobody likes it and Canonical doesnt wanna stop somehow.
Snap does seem to support user namespaces. Although I want to comment that user namespaces are not universally insecure. When an application is confined within a user namespace, seccomp rules restrict it from being able to interact with the user namespaces subsystem, walling it off from the increased attack surface.
Likely no official packages.
Would you mind explaining what you mean with this? Thanks in advance!
They are probably referring to the way that snap, flatpak, and distrobox are available as official packages in most linux distro’s repositories, whereas nix isn’t. I have encountered this frustration for sure. Debian and Arch provide nix packages, but many other distros don’t.
In addition to this, nix requires manual setup if you install it from the repos, which is annoying. And then you have to do further manual setup to enable flakes, and then you have to figure out how to install packages and it’s not fun.
So the main way people install nix is via the
curl | bashscripts various “distros” of Nix provide.No, official packages mean packaged upstream by the creators of the software, so if issues occur you can talk to them directly.
Ah okay. Thanks for clarifying! But isn’t that a problem with most repositories? I believe Flatpak’s verified is one of the few exceptions.
Preface: I have been daily driving Fedora Atomic for the last couple of years and have also used a bit of Aeon and NixOS.
My opinion is that while atomic/immutable desktops are overall a good idea, they are marred by poor planning, a refusal to fix existing tools, and some cope.
There are way too many package managers and waste in this space. I think flatpak is a large cause of all this friction due to fact that it is always “sandboxed” and only focuses on GUI apps. The fact that it does not aim to support CLI apps (despite being able to handle them quite well!) means that we must have another tool, traditionally podman via toolbox/distrobox. The sandbox doesn’t play well with certain subsets of apps, notably things like VSCode. At least Flatpak Next seems like it will address this part with its unsandboxed mode.
I also find it quite strange how some developers revel in wasted space and inefficiency. So many duplicated libraries between the host, flatpak, podman, and homebrew. With better planning, we could’ve had shared runtimes (such as Freedesktop) between the OS, flatpak, and whatever CLI package manager. Instead we have something like Fedora packages for the host OS and podman (not shared), flatpak using Freedesktop, and brew shipping their own stuff.
I also think that systemd sysexts are poorly designed, it’s crazy they’re being pushed. It’s pretty much a package manager without dependency management. And for what upsides? It has no sandboxing, it’s not portable between distros and distro versions, and must vendor dependencies to work around having no concept of dependencies. And we’re already seeing fragmentation with Fedora and OpenSUSE working on their own frontends to manage sysexts.
yay I think Flatpak has potential for CLI apps, they just need a nice way to expose aliases to the host actually, there are some CLI apps on Flathub already so I still don’t know how that “no terminal apps” criteria is handled
didn’t know sysext were so cumbersome
did you know about pkgforge repo? it’s an interesting project however, even package managers for portable formats are sort of fragmented
I don’t like depending on GitHub so I don’t consider GPM, Soar and AM seem too similar… and I still have to understand what makes dbin stand out
