this post was submitted on 21 Jun 2026
18 points (100.0% liked)

Linux

65917 readers
577 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago
MODERATORS
nooter692@lemmy.ml
AgreeableLandscape@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
18
Portable Formats and Inmutable Distros (lemmy.zip)
submitted 1 day ago by overcast@lemmy.zip to c/linux@lemmy.ml
22 comments fedilink hide all child comments
 

I feel like inmutable distros are in a quite good state nowadays, and while solutions like bootc and sysexts are not “mainstream” yet, it’s getting there

when it comes to getting non Flatpak packages, things get interesting, there are a lot of options, really

AppImages, statically linked binaries, tarballs, OCI containers, distrobox/toolbx, Homebrew, VMs, Nix even experimental formats like RunImages, AppBundles and FlatImages

if you need some non-system level package, you’ll have a way to use it yet, still it seems sort of chaotic “which one should I choose? how will I be able to easily manage them?”

GPM, dbin, Soar, AM… and the list goes on

and it’s okay, the so called cloud native approach is still evolving, so this fragmentation is expected so it’s nice to share opinions about this while we’re living this interesting phase any thoughts?

top 22 comments
sorted by: hot top controversial new old
[–] EchoDelta_9@programming.dev 1 points 4 hours ago

Unsure whether it fits with the rest, but I'd argue it is an innovative and very compelling 'standard' that is competing with everything else mentioned in this thread.

So, the basic idea is as follows: if it is so difficult to deal with the loss of the main package manager found on the mutable/traditional variant, why don't we pursuit ways to not lose it in the first place and thus try to make it coexist (somehow) with the atomic model. Enter RakuOS's hybrid design in which everything installed through dnf is overlayed persistently over the bootc-managed base system.

[–] boredsquirrel@slrpnk.net 6 points 21 hours ago* (last edited 21 hours ago) (6 children)

All of the methods have big issues but I would still prefer them over messing with a mutable system

  • snap is likely the most secure by avoiding user namespaces, using AppArmor only and thus being very flexible (also for use for kernels, drivers, browsers ...)
  • flatpak has the biggest amount of officially maintained packages, but packaging is often really bad, runtime extensions arent really a thing, instead people just put ffmpeg binaries in their packaged and think that is fine. Flatpak does consume quite some disk space and more importantly RAM for the duplicated things
  • nix doesnt have any of these, but sandboxing is hard, there is either stable or unstable, changing and configuring things is very complex. Likely no official packages. Still the method I prefer.
  • homebrew idk? Never tried, mac focused and with more and more linux features like sandboxing. No idea
  • distrobox/toolbox is pretty hacky, relies on entire distros running in parallel with no shared anything (currently, afaik bootc deduplication is kind of planned but kind of difficult too). Updates dont really work so either you go declarative with podman compose or distrobox-assemble, or you use rolling distros. Also they share your homedir by default so they will clutter and mess up your dotfiles which is a problem nobody deals with. Dotfile backup tools exist but are kinda complex. Distrobox has a config but the creator doesnt seem to want to make it the default, neither do downstreams.
  • Appimages just suck, back to the windows way but without developer signature verification (like Windows) or secure updates (like .apk files on Android)
[–] MonkderVierte@lemmy.zip 1 points 12 hours ago* (last edited 11 hours ago) (1 children)

Looks to me like immutable only attracts the kind of developers/hackers who like to solve things by slapping another runtime on it.

[–] boredsquirrel@slrpnk.net 2 points 11 hours ago

Immutable in the actual sense yes, it is basically a product and every other software is installed aside from it.

But you can also have better managed systems like nix or ostree, that reduce entropy or at least make it fully declarative so theoretically finding and reproducing issues is easy

[–] overcast@lemmy.zip 5 points 18 hours ago (2 children)

my thoughts

  • lol i just completely forgot about snaps
  • Nix can’t be installed in the standard way on inmutable distros :(
  • Homebrew is actually good, it’s exactly like your usual package manager and works with /home as a symlink, however it can take up a lot of storage since it pulls it’s own dependencies and that GCC thing is another one
  • distrobox/toolbx have their usecases, but until things get better it can be used as a last resort
  • and good old AppImages, I think they’re good for slow moving projects and games, but a large amount of them are not really portable, which defeats the purpose of AppImagws in the first place
[–] marcie@lemmy.ml 1 points 11 hours ago

Can always just layer it with rpm-ostree install (.rpm file)

[–] boredsquirrel@slrpnk.net 1 points 13 hours ago (1 children)

Never used homebrew, that doesnt sound good.

I am trying to use nix and firejail only, but it is pretty rough and barely documented which is kinda insane as firejail is THE tool. Unlike crabjail, bubblejail and what else is out there

[–] moonpiedumplings@programming.dev 1 points 3 hours ago

I am trying to use nix and firejail only, but it is pretty rough and barely documented which is kinda insane as firejail is THE tool. Unlike crabjail, bubblejail and what else is out there

I was investigating sandboxing with Nix. Here is a dump of my saved notes:

General Nix Based

github.com/nixpak/nixpak

github.com/Naxdy/nix-bwrapper

https://todo.sr.ht/~alexdavid/jail.nix

LLM Specific Nix based

Projects to sandbox AI agents:

https://github.com/archie-judd/agent-sandbox.nix

https://github.com/myme/jaillm/blob/main/flake.nix

https://github.com/gfauredev/nix-agents-jail

https://github.com/azuwis/fence-agent.nix

github.com/kohane27/jailed-ai-agents/blob/main/llm.sh

Someone told me that if you take these things and then replace the entrypoint with bash, you get a sandboxed shell environment

[–] moonpiedumplings@programming.dev 3 points 20 hours ago (1 children)

distrobox/toolbox

Distrobox excels for when you need some proprietary tool that ships it's packages as a repo for Ubuntu but not much else. You spin up a distrobox for Cisco Packet Tracer, or VSCode (the proprietary microsoft one, not Arch's Code-OSS and Unity.

Then, once you're done, you can just delete it all.

[–] overcast@lemmy.zip 2 points 18 hours ago (1 children)

this, even a tarball would have been better than a Ubuntu-only .deb

[–] moonpiedumplings@programming.dev 1 points 18 hours ago (1 children)

If the tarball was dynamically linked against specific distro's libraries though, then it wouldn't work on all distros.

They also often provide RPM packages for Red Hat systems. Not always though, and I use Arch (btw) anyways.

[–] overcast@lemmy.zip 1 points 18 hours ago (1 children)

really? by the time I needed it, there were only .deb available, and they did not listed all their dependencies on Debian, only on Ubuntu, I had to look for their dependencies and install them manually, what a mess

[–] moonpiedumplings@programming.dev 0 points 17 hours ago

Not everybody does. It's just sometimes.

[–] moonpiedumplings@programming.dev 2 points 20 hours ago* (last edited 20 hours ago)

nix doesnt have any of these, but sandboxing is hard, there is either stable or unstable, changing and configuring things is very complex. Likely no official packages. Still the method I prefer.

Nix is what I use, and it was frustrating to have to hack a lot of it into place, but I feel like it has the most potential. Unfortunately the flakes nonflakes split, in combination with the split of "distros" like determinate nix, flox, and so on, and the governance concerns really hold it back. It has horrific documentation, for the most part caused by the above (flakes are "experimental" and so can't be included in official docs), and it is frustrating the lengths I have to go to to make stuff work that should be easy.

For example, GPU acceleration of Nix packaged apps on non Nixos systems. I figured out how to do it:

(config.lib.nixGL.wrappers.mesa pkgs.gzdoom)

source

But I think it's just straight up impossible to do this via imperative package installs, outside of home manager. And it's kind off important if you want any GUI app whatsoever to work.

But now that I have it working, I use Nixpkgs exclusively and am able to avoid the AUR entirely. To me, the AUR is a last resort, only for something like say, system level printer drivers (thankfully I've never needed to install anything to get printers to work). By ensuring that I only use the AUR once in a blue moon, I can make sure that I actually review the PKGBUILD when using it.

[–] moonpiedumplings@programming.dev 1 points 20 hours ago

snap is likely the most secure by avoiding user namespaces, using AppArmor only and thus being very flexible (also for use for kernels, drivers, browsers …) but it is proprietary, nobody likes it and Canonical doesnt wanna stop somehow.

Snap does seem to support user namespaces. Although I want to comment that user namespaces are not universally insecure. When an application is confined within a user namespace, seccomp rules restrict it from being able to interact with the user namespaces subsystem, walling it off from the increased attack surface.

[–] EchoDelta_9@programming.dev 1 points 21 hours ago (1 children)

Likely no official packages.

Would you mind explaining what you mean with this? Thanks in advance!

[–] moonpiedumplings@programming.dev 1 points 20 hours ago* (last edited 20 hours ago) (1 children)

They are probably referring to the way that snap, flatpak, and distrobox are available as official packages in most linux distro's repositories, whereas nix isn't. I have encountered this frustration for sure. Debian and Arch provide nix packages, but many other distros don't.

In addition to this, nix requires manual setup if you install it from the repos, which is annoying. And then you have to do further manual setup to enable flakes, and then you have to figure out how to install packages and it's not fun.

So the main way people install nix is via the curl | bash scripts various "distros" of Nix provide.

[–] boredsquirrel@slrpnk.net 1 points 13 hours ago (1 children)

No, official packages mean packaged upstream by the creators of the software, so if issues occur you can talk to them directly.

[–] EchoDelta_9@programming.dev 1 points 4 hours ago

Ah okay. Thanks for clarifying! But isn't that a problem with most repositories? I believe Flatpak's verified is one of the few exceptions.

[–] novafunc@discuss.tchncs.de 7 points 23 hours ago* (last edited 20 hours ago) (1 children)

Preface: I have been daily driving Fedora Atomic for the last couple of years and have also used a bit of Aeon and NixOS.

My opinion is that while atomic/immutable desktops are overall a good idea, they are marred by poor planning, a refusal to fix existing tools, and some cope.

There are way too many package managers and waste in this space. I think flatpak is a large cause of all this friction due to fact that it is always "sandboxed" and only focuses on GUI apps. The fact that it does not aim to support CLI apps (despite being able to handle them quite well!) means that we must have another tool, traditionally podman via toolbox/distrobox. The sandbox doesn't play well with certain subsets of apps, notably things like VSCode. At least Flatpak Next seems like it will address this part with its unsandboxed mode.

I also find it quite strange how some developers revel in wasted space and inefficiency. So many duplicated libraries between the host, flatpak, podman, and homebrew. With better planning, we could've had shared runtimes (such as Freedesktop) between the OS, flatpak, and whatever CLI package manager. Instead we have something like Fedora packages for the host OS and podman (not shared), flatpak using Freedesktop, and brew shipping their own stuff.

I also think that systemd sysexts are poorly designed, it's crazy they're being pushed. It's pretty much a package manager without dependency management. And for what upsides? It has no sandboxing, it's not portable between distros and distro versions, and must vendor dependencies to work around having no concept of dependencies. And we're already seeing fragmentation with Fedora and OpenSUSE working on their own frontends to manage sysexts.

[–] overcast@lemmy.zip 1 points 20 hours ago* (last edited 20 hours ago)

yay I think Flatpak has potential for CLI apps, they just need a nice way to expose aliases to the host actually, there are some CLI apps on Flathub already so I still don’t know how that “no terminal apps” criteria is handled

didn’t know sysext were so cumbersome

[–] overcast@lemmy.zip 1 points 18 hours ago

did you know about pkgforge repo? it’s an interesting project however, even package managers for portable formats are sort of fragmented

I don’t like depending on GitHub so I don’t consider GPM, Soar and AM seem too similar… and I still have to understand what makes dbin stand out