I was thinking about going immutable for a long time and now I’m choosing a distro to hop to.
My question is: what are good immutable distros other than Fedora Silverblue spins, UBlue family and NixOS?
Maybe someone uses/used any? What is/was your experience with it?
Currently, the only projects I’d refer to as (remotely) GA are ChimeraOS, Endless OS, Fedora Atomic, Guix System, NixOS and their derivatives. The rest is, unfortunately, simply not there yet. The closest to these would be openSUSE Aeon. But, if you’d like FDE on your device, then you’d have to forego it for now. Currently, I would advice against relying on any other projects; including Arkane Linux, AshOS, blendOS, carbonOS, MocaccinoOS, Nitrux, openSUSE Kalpa, rlxos and Vanilla OS. Unless, you’re fine dealing with whatever random and fringe issues you may have to face.
As for the previously mentioned GA ‘immutable’ distros, you don’t like to pursue Fedora Atomic, NixOS and their derivatives for IMO fair reasons. ChimeraOS is primarily an OOTB console experience distro (aka couch gaming) that happens to be ‘immutable’. Therefore, bending it (to become your distro for general use) will definitely be an involved process. But, it’s possible. Likewise, Endless OS is somewhat locked down (beyond what you’d expect from your average ‘immutable’ distro) and has to be bend (at least slightly) in order for it to be more suitable as a daily driver.
This leaves us with Guix System. IMO, if you want to pursue this right now, then Guix System is simply the only remaining way of going forward. It’s fit to suit whatever needs you’d have and offers access to official documentation that’s at least a decade ahead of the one found for NixOS. However, don’t expect this to be entirely painless; ‘immutable’ distros require (in general) a bit more know-how compared to traditional distros. And within the ‘immutable distros’, Guix System and NixOS are uniquely positioned for how ‘powerful’ they feel compare to (literally) any other distro. But, with great power comes great responsibility. Hence, you should definitely know your shit.
Finally, if FDE is not a hard requirement for you and if you can live with GNOME and if don’t have qualms against containerizing everything and if you don’t intend to tinker, then you might also consider openSUSE Aeon.
Back when I was looking to switch distributions a year ago and it came to the choice between NixOS and Guix System, the latter unfortunately lost due to lack of features I considered essential for me. These were availability of proprietary packages (notably Steam, though I guess this could be rectified with a flatpak version or something), and no support for secure boot, which was the prime reason to switch in the first place, as I wanted to enable passwordless FDE unlock on boot for my machines (at least for the desktop, this should be secure because of fTPM).
Secure Boot is a bit of a more involved process with Lanzaboote, it’s not just another “enable = true;”, but at least after initial setup it just keeps on working.
I recently spun up another server for various uses, one being backups using restic. According to https://packages.guix.gnu.org/search/?query=restic, it’s at 0.9.6 in their repos. NixPKGs has 0.16.5. 0.9.6 turns 5 years old this year.
The other services (yes, they are sketchy, but all GPL) aren’t even in Guix at all. Yes, that’s a network effect, but if switching the distribution forces me write half of it myself (exaggerating here) it’s not suited for my case. The Nix ecosystem has issues but at least it enables me to build the system I want. Guix unfortunately is just another GNU project that’s more focused on ideals than practical reality, which, given GNU’s nature, is completely understandable and justified. But probably also the main reason for why in the real world, Nix is dominant in its niche while Guix System is a footnote.
Hi, I’m @sergay@discuss.online with another username.
I agree with your post. While, Guix System looks the best on paper (after Fedora Atomic and NixOS), it truly requires a lot of expertise from its user. So, if OP is not interested in learning Guix System and/or the Guile Scheme language for the sake of running their OS, then they should look for something else. Because, as you’ve noted, they might have no choice but to contribute by packaging some of the software they need for themselves.
Regarding Secure Boot, that’s definitely a problem. However, not all distros support it OOTB. I might have dismissed it earlier because I consider FDE to be more important than Secure Boot. But I’m aware that this is not on technical merits.
IMO one should not dare to touch any ‘immutable’ distros besides Fedora Atomic and/or NixOS unless they know exactly what they’re getting into and why they prefer it over Fedora Atomic and/or NixOS.
Regarding Secure Boot, that’s definitely a problem. However, not all distros support it OOTB. I might have dismissed it earlier because I consider FDE to be more important than Secure Boot. But I’m aware that this is not on technical merits.
I’d consider FDE more important as well (apart from some fringe use cases). But it doesn’t cover all possible attacks, as unlikely as some of them are. However, together they create a solution that is both convenient and sufficiently secure, as long as you can’t just intercept the keys on the hardware.
FDE protects the confidentiality of your data in offline attacks, Secure Boot protects integrity and authenticity of binaries started by UEFI. These complement, they don’t compete.
I’ve been using Opensuse Aeon just over a year and it’s done great.
Tumbleweed user for the last 5 years, and dealt with a few issues over that time. The usually infrequent update break that comes with rolling release. And the Opensuse ‘Patterns’ started, which I loathe and it’s a disaster to try to disable them every install.
Aeon hasn’t had any of those issues. It’s been very much a “turn it on and get to work”.
I’ve generally had less issues with Aeon than Tumbleweed - like certain flatpaks not crashing.
But downsides as I see them:
I’m not a gnome guy. It’s fine though, I don’t hate it. But some people can’t stand it.
I had a bit of trouble running wine. Something about the default security policy. There’s a known workaround.
Kalpa needs to attract more developers to keep up with Aeon’s pace. I understand it is usable as a daily driver, but it’s not just a one to one mirror of Aeon with Plasma on top.
https://sfalken.tech/posts/2024-06-08-how-do-aeon-and-kalpa-relate/
Richard Brown is all in on Aeon along with whatever contributors are helping him. Stephen Falken appears to have no one helping him work on Kalpa unfortunately. I disagree with Richard’s stance that Kalpa shouldn’t exist, but I do wish there were some capable people able to help that project.
I don’t mind using Gnome anyway, it actually does solve some networking issues that I’ve always had with Plasma. (Dolphin not handling it well whilst Gnome Files has no issues)
Fedora Atomic is greag. uBlue is better ootb, but most of it can be simply achieved by layering some packages (rpm-fusion, enable auto updates through /etc/rpm-ostreed.conf).
NixOS is a whole nother beast and I’d only recommend it if you use standalone compositors (labwc, hyprland, sway, wayfire, river, …), or want a declarative system.
Edit: Just read your comment about not liking Fedora. In that case I’d recommend OpenSUSE Tumbleweed. Other immutable distros are smaller and I don’t have any experience with them. (IMO with atomic distros the distro doesn’t matter much because apps are installed through flatpak or distrobox anyway.(
Fedora Silverblue, but OK, well, maybe openSUSE Aeon also.
I had rhe idea fedora atomic was so reliable, ,but I just updated a system and it broke… Reminded me of my manjaro times😑
How did it break, and what doesn’t work any more?
I’ve been using Fedora Atomic on at least one device for years now, without any major issues (I.e. device no booting or updating. Upgrades do require some manual intervention).
I upgraded with rpm-ostree upgrade and then it doesnt boot. Some error with the kernel. Im sorry I dont have the info where I am, as it is not my computer. Good thing is I can still boot old image, its on grub.
Opensuse Micro
