I have been trying some of the immutable linux OSes because from what I understand they are more modern and feature better security and reliability. What I have found so far is shocking. Half of these don’t support my laptop (probably because it’s nvidia optimus). Some I tried like guix were very difficult to install, configure, and use with sprase documentation. Good luck trying to use KDE, wayland, or pipewire for example. BlendOS was notably better and could at least run on my laptop but chocked with nvidia driver issues.
I have switched to pop os on my laptop for now but looking at alternatives and what to install on my desktop.
I’m not sure how good a suggestion this is for you and your optimus usecase, but have you checked out the uBlue spins of Fedora Silverblue/Kinoite/etc? They pre-include stuff that Fedora won’t ship, like non-free codecs and nvidia drivers.
I’m prepping a swap from Arch Linux to my own Silverblue image based on their DIY guide at the moment, mainly to see how the whole immutable aspect feels day-to-day. The image-based updates in the background are just a bonus.
That’s what I am currently trying to install thanks to some suppressingly helpful people on Reddit. Is there any particular iso you recommend?
Have you tried NixOS? I recommend that over guix.
I was told it’s very difficult and has bad documentation. Funnily enough that’s exactly the experience I have had with guix.
Compared to guix NixOS is significantly ahead. “difficult” is to each their own. For me, NixOS is the easiest to do certain things. But those things are what i use a computer for and might not match what you do.
As for docs - nothing beats Arch :)
I think I tried NixOS briefly a while ago. I might have a go eventually or install it in a VM to check it out.
Definitely start with a vm. If you run into troubles let me know. I have a YouTube channel where i post nix content regularly.
That said the docs are not as good as Arch. The best way is to read the
nixpkgssource. Which is a very high barrier to entry. Otoh, only one repo is required to completely see everything.
It has terrible documentation, no doubt about it. However, depending on your setup requirements, the installation procedure can be quite acceptable. It should finally have a graphical installer.
If you’re not doing anything complicated like programming, hosting your own services, or planning on using rare software that you yourself have to package, it can be a very low maintenance OS.
My single biggest tip: before installing something, check if it has an “option”
For example, if you want to use KDE as your desktop environment, you need the
services.xserver.desktopManager.plasma5.enableoption. Use the option search. It’s often easier than listing the individual packages manually and writing their configuration manually.The reason for this is that nixos doesn’t have “meta” packages. Those are packages that just contain other packages. Most package only has the absolute minimum it needs to be built - not run. The KDE desktop environment requires many packages to run.
Additionally, package configuration normally happens outside of the package in a declarative manner. You don’t write
/etc/network.d/111_startup.sh. That’s either in an optionenvironment.etc"network.d/111_startup.sh"or (making this up)networking.startupScriptswhich puts a value in toenvironment.etc"network.d/{script.name}.
Do no be afraid to ask for help. The nix community is aware of the documentation disaster it has on its hands.
Yes, the nix foundation is slow and doesn’t have its own wiki - no idea why.
My set-up actually is fairly complicated. I actually have a degree in CS and am looking for tech related jobs. I have decided to go a different direction for now but I intend to learn the nix package manager at some point. Partly because it comes included with my new OS (Bazzite/ublue), and partly because I hear it’s useful and pays well in industry.
TL;DR: If I were to choose an immutable OS to run on my propriety graphics cards I’d choose an immutable distribution with rolling releases or hardware enablement packages, which tend to do a better job of keeping these graphics libraries up-to-date for new hardware.
I don’t have a recommendation but I just learned about immutable Linux OSes from this post. I could see benefits of immutable OS files, but I’ve been skeptical about package distribution like flatpak and snap, at least in their current state.
Dont get me wrong, the workflow of flatpack is great, but in my experience, apps from flatpack typically ship with their own runtime and don’t rely on system runtimes (likely why you have GPU driver issues). As a software developer, I obviously prefer to ship with all dependencies and runtimes so I don’t have to rely on the system to be updated but this comes with downsides:
A major problem with alternate runtimes is drivers. New graphics hardware needs new graphics libraries which have a ton of dependencies. Mesa depends on LLVM for compiling shaders. The NVidia driver depends on a kernel module whose version must exactly match that of the library. All of these libraries have their own transitive dependencies like libdrm, libstdc++ and glibc. If you want new hardware to work, you need to be using new versions of all of these libraries.
Linux distributions, especially those with rolling releases or hardware enablement packages, do a great job of keeping these libraries up-to-date for new hardware. Bundled runtimes do not. Source.
I’d recommend checking out that article I linked as source. There are also security concerns of using apps, some of which are mitigated by having an immutable filesystem, but there are more points and this comment is long enough as it is.
EDIT: I reread my comment and it comes off as “immutable bad, blah blah”. Truth is I don’t know much about these OSes but I wanted to point out that distributing apps in containers comes with its own challenges; which I gather is necessary for immutable OSes. So my TL;DR is to narrow down to a distribution that is immutable and has a rolling release or distributes hardware enablement packages.
Flatpak is by design more secure - not less. Not everything runs in a flatpak anyway thanks to distrobox, podman, and rpm-ostree.
My GPU issues were related to the host as well as the GPU drivers quit working their two. It refused to load the correct kernel module. I have since found immutable OSes with Nvidia support OOB. I haven’t tried any on that machine yet but am playing with one of my desktop.
I agree that by design Flatpak aims to provide a secure environment through sandboxing; in practice, the implementation has gaps that can lead to security risks, particularly when apps are granted extensive filesystem access. This can undermine the effectiveness of the sandbox and potentially expose systems to vulnerabilities. HOWEVER, being on an immutable system, these risks are mitigated to some degree.
I’m particularly hopeful for Flatpak’s promise of fine grained permissions. Flatpak is developing a fine-grained permission system with portals for external interactions, BUT this system relies on integration with toolkits like GTK, rather than app-specific APIs, complicating its implementation. There is more info in the linked article in the previous post, and here it is again.
Admittedly I’m not familiar with distrobox, but my caution is for any approach that distributes containerized programs with their own runtimes; they proved to be a real headache on my “mutable” system and my nvidia GPU until I switched to rolling OS.
I’m glad you found some candidates to potentially resolve your issue. What distro did you end up using? I’m curious to give it a go next chance I have some free time. Cheers.
Bazzite - it’s part of the ublue family derived from fedora but with extras including extra drivers.
Edit: you also get some immutable distros that don’t need flatpaks like nix os and guix. They are much more difficult to work with though.
cool thanks.
Well I’m glad to hear these things being worked on and worked out
Yeah it seems to work well on my desktop with an AMD card. They have a variet for Asus laptops with Nvidia GPUs, so hopefully it will be easy to setup if I go that route. For now I am keeping Pop_OS! on my laptop as it seems fairly useful.
