Question: do NixOS/GuixSD count as immutable OSes?

well, here's the answers I could find for Guix http://logs.guix.gnu.org/guix/2019-09-17.log#210857

So yeah, as root privileges still exist and are accessible, they still allow you to modify the system, but you're not *supposed* to. By default, even root sees /gnu/store as immutable, but it can change that on its own.

In contrast, Fedora Silverblue sets the whole filesystem as read-only and mounts all stateful paths, either from modifiable partitions or virtual filesystems, into /var subdirectories. Reading this article though, I presume Silverblue is just as vulnerable once you get root. https://www.redhat.com/sysadmin/immutability-silverblue

Both systems also have native SELinux support, which really tempts me into switching. I wonder how far I can go with rpm-ostree on Fedora without making it too hard to update, whereas my #1 issue with Guix (decent, up-to-date Firefox) is 100% solved thanks to Flathub.

"Since Guix System does not provide an SELinux base policy, the daemon policy cannot be used on Guix System."



https://guix.gnu.org/manual/en/html_node/SELinux-Support.html

I think I might be getting into Fedora after all? Time to evaluate 🔍

oh ok, guess I can't use Fedora to bomb the Whitehouse in contradiction to licenses like the GPL

helloooooo

If you don't go with custom partitioning, installation is the closest to ideal I've ever seen. Just choose the disk and you're ready to go! It does make an attempt at geolocation to set the default locale, which is something I find questionable.

Welcome!

After the GNOME assistant takes you through the usual installation, you finally get - well, Fedora!

Here's what you get out of the box. Here's the cool part - it's all Flatpak!

Except for a few apps like Firefox (notice that you can't remove it!), GNOME Disks or the terminal, that is.

Current Firefox versions:

Silverblue: 75.0
Fedora Flatpak: 77.0.1
Flathub: 78.0.1

yeah, go Flathub, it's literally just three clicks away: https://flatpak.org/setup/Fedora/

wait holdup

yeah, the system upgraded itself with RPMs

does that mean it's now a fork?

https://docs.fedoraproject.org/en-US/fedora-silverblue/faq/

I hope everything is rebased properly on system version upgrades (which apparently are still manual through the terminal)

well, guess I picked up the best time ever to try Fedora https://status.fedoraproject.org/

Hardened Fedora Silverblue:

sudo passwd -l root
sudo usermod -s /sbin/nologin root
# Comment out sudo and %wheel in /etc/sudoers

Maybe `rpm-ostree rebase` is then needed or something.

I thought I would be able to uninstall sudo itself, but no success so far

Here's how you're supposed to be installing dev tools in Silverblue:

1) With Fedora Toolbox
$ toolbox enter
$ sudo dnf install @development-tools

2) With GNOME Builder
...Builder just takes care of downloading Flatpak SDKs for you.
...except for Python, which isn't working here? And I don't know how to make it use Toolbox, I guess I should point it somewhere at ~/.local/share/containers/storage?

well somehow, I closed up and opened Builder, and Python projects now build?

huh

So, that's about it for Fedora Silverblue. As a development environment it's very doable albeit it doesn't feel 100% there yet. But for anything else, it makes using and maintaining your computer pretty easy, even if you've never used Linux before. At least, as long as you don't have to upgrade it.

Moving on, it's Guix time!

This is the distro I've hoped to switch for, for SOOOOOOOOOOOO long! The idea of a system that is highly hackable yet you can safely rollback if you ever make a mistake? Multiple versions of packages installed at the same time without any conflicts or messy hacks? AND you only have to use a single package manager, based in Scheme, that works in userspace, and can do multiple tasks at once without even asking you for a password?

However, not only it was pretty slow, Firefox was... problematic.

Now I have high hopes for it, but no AppArmor or SELinux also makes me hmmm lots.

Now, I don't think I'll be able to use neither Silverblue nor Guix as my only system. I need a patched Linux kernel for my Surface, and I have no idea how to put that into neither systems. But at least I can replace the Debian Sid on my Mac.

Installation is... something. Easy, but also requires you to know a bit what you're doing, and is also Ncurses-based https://guix.gnu.org/blog/2020/gnu-guix-1.1.0-released/

It's wayyyyyyyyyyy easier to install than back in the 0.12 times, basically because it automates the whole process, and it's even quite forgiving if you write an invalid config.scm - but it would be nice if it didn't delete your changes each time they fail.

So far, as I wait for it to install, it does feel faster than previous versions of Guix. If there are any real improvements, I would bet all of them are because of Guile 3's JIT compiler.

Why is building the man database so slow? WOW it's slow.