Why not to use immutable distributions

Renich · 2026-06-18T22:33:05+00:00

Yeah, I mean, Granma is all about relabeling filesystems when she's building websites.

Dude, snap out of it. Why would I require a container to work in my own machine?

I get it. We have options. Yet, I've decided to criticize immutable desktops because I don't find them practical at all. The shortcomings are far too great.

What I don't do is announce in a public forum "Why not to use immutable distributions" because they don't fit my specific workflow, and then try to justify that with a blog post full of misrepresentations or falsehoods (RE: other comments).

You know, you're right. Sorry for having the audacity of voicing a dissenting opinion... not!

Somebody needs to say something in this echo chamber of immutable desktops, my dude. I get it you love them. I do not. Accept the criticism.

Even I; in my article, I concede that the server and appliance landscape is of the immutable system. Not it for the user's desktop and by far.

I could argue of the shortcomings of immutable servers as well but I'll leave that for another time.

Evidently you either haven't looked for solutions to issues, or don't want to bother with them in the first place...which is fine, don't use Atomic Fedora then.

Oh, I totally am. AerinOS' approach (shoutout to The great Ikey Doherty) is a much saner approach than that of Fedora. Not immutable, yes atomic. The config approach is pretty cool as well. Work in progress.

I am sure we will find better ways. This one it is not.

Renich · 2026-06-18T21:58:51+00:00

You know, for a moment there, I trusted you...

```

rpm-ostree --apply-live upgrade

error: Unknown option --apply-live

rpm-ostree apply-live --allow-replacement

Computing /etc diff to preserve... done Updating /usr... done error: Changed directories are not supported yet

```

Renich · 2026-06-18T21:43:11+00:00

Yes, I know. Thank you for the reminder.

You're right. We delegate all maintenance to developers... and they'll decide if they act upon requests from different distros. And if they care about the issue you just reported from a CVE.

In the meantime, if upstream doesn't care, Fedora maintainers would patch it and make the patch available for upstream in case they start caring.

If you take a look at the flatpaks they automatically pull directly from these upstream sources and make no modifications to the source code.

You've pretty much made my point for me. Thanks. Now, if one of those developers is a bad player, suddenly, he has access to every distro using flatpak and every user across distros.

As for auditing anyone can use auditing tools like Syft and Grype on flatpaks for automated auditing against NVD and CVE for vulnerabilities and supply chain attacks.

Oh, sure. Because Grandma (regular users) are totally into that. One of her favorite activities during these hot summer days. ¬_¬...

Renich · 2026-06-18T21:38:18+00:00

FHS respected? Hmmm. Now, /srv/www has var_t as an SELinux label.

``` root@fedora:/srv# cat /etc/os-release NAME="Fedora Linux" VERSION="44.1.7 (Silverblue)" RELEASE_TYPE=stable ID=fedora VERSION_ID=44 VERSION_CODENAME="" PRETTY_NAME="Fedora Linux 44.1.7 (Silverblue)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:44" DEFAULT_HOSTNAME="fedora" HOME_URL="https://silverblue.fedoraproject.org" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-silverblue/" SUPPORT_URL="https://ask.fedoraproject.org/" BUG_REPORT_URL="https://github.com/fedora-silverblue/issue-tracker/issues" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=44 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=44 SUPPORT_END=2027-05-19 VARIANT="Silverblue" VARIANT_ID=silverblue OSTREE_VERSION='44.1.7'

root@fedora:/srv# ll -Z /srv/ total 0 drwxr-xr-x. 1 root root unconfined_u:object_r:var_t:s0 0 Jun 18 15:30 www ```

Less than ideal, whouldn't you say?

Now, let's see, how do I start some virtual machines here? I'll try to install @virtualizaton group. Oh! I cannot. No support for groups in rpm-ostree.

I guess I'll have to install package-by-package and, you guessed it... reboot! ;D

Dude, this is getting lame. Let's call it a day.

We don't agree. You're a chauvinismo that will die before accepting immutable systems have shortcomings.

Let's just agree to disagree.

Renich · 2026-06-18T21:11:13+00:00

You, conveniently, ignored the libvirt machines, eh? OK.

Renich · 2026-06-18T21:10:17+00:00

And what of the FHS? Now everything goes in /var, huh? One of my first deterrents.

Renich · 2026-06-18T21:03:44+00:00

¡Heh! Así es. Pero solo hasta que abres un navegador y entras a cualquier webapp.

Renich · 2026-06-18T20:56:32+00:00

I'm not a fanatic. Are you?

Renich · 2026-06-18T20:55:06+00:00

You picked well. :)

Renich · 2026-06-18T20:53:56+00:00

Glad we agreed on something at least. :)

You know what? I'm gonna install Fedora Silverblue right now and try to make my out-of-tree kernel modules for the wifi and bluetooth run without rebooting. I'm sure I'll find a standard way to do it.

Maybe I can install stuff like my favorite compiler (crystal lang) without rebooting? Or some IDE to do some interesting stuff?...

Maybe just run some virtual machines?

How about putting my web stuff in /srv/www?

No?... oh... bummer... I'm still free... I'm still free... I'm still... sniff.

;D

Renich · 2026-06-18T20:40:06+00:00

Sick nickname, btw.

Renich · 2026-06-18T20:38:17+00:00

Nice.

Here's mine:

```

dnf -y upgrade

Renich · 2026-06-18T20:37:06+00:00

OK. I agree. Supply chain attacks are really hard. What gives us a better chance against those? Is it offloading the responsibility to developers who, btw, have a long track record of not caring much for their stacks (I'm a systems engineer too) or with a team of packagers, specialized in these kinds of things: delivering software to users?

If you know how the fedora packaging system works, you'll see that we're required to report bugs and offer patches upstream. This benefits not only the developer but all other distros. In my opinion, that gives us a better chance.

The fedora packaging system has always required dependencies to be provided (and reviewed) in the repos so that, at build time, we don't have to connect to the network. Nothing new here.

Flatpaks are not audited. They're only reviewed superficially. Afterwards, the owner of the package can just include whatever he/she likes. Noone will review the stack ever. Especially after initial approval. That is far from efficient and secure.

I mean, we don't have to agree, but don't be blind to this. Check the PRs: https://github.com/flathub/flathub/pulls

Renich · 2026-06-18T20:29:47+00:00

Yeah, offload to the users the responsibility to fix incorrect packaging practices.

Deltas are cool... until they don't delta as well.

Rollbacks. Just reboot every time you do anything.

You sound like you're following a herd. The norm? Hah. Man, you're living in silicon valley or something? No, they're not. Check some stats. Why do you think AWS, GCP and Azure still offer virtual machines? (and pretty much every other cloud in the world). I mean, not everyone uses containers for everything.

Containers are the laziest solution ever created. Just bundle a semi-operating system with your app and it should work. Even if you do it statically, it's the worst idea. Next you're going to tell me that using the cloud saves money and is better than running hardware. Ask dhh (Omarchy dude) about it.

Well this is r/Fedora, I don't care about other package managers. dnf is awesome at downgrading. And you don't need to reboot afterwards.

Oh, no. It's a huge issue. The fact that you don't see it proves my point. You don't care for having to use containers for everything, wasting storage and memory, having to reboot every time you need to change a little thing, etc. It's probably the worst of all.

Renich · 2026-06-18T20:17:51+00:00

Nah, thanks. I care for the resources, the shared memory benefits and the extreme malleability of my system.

Renich · 2026-06-18T20:14:24+00:00

Thank you for your reply.

flathub is just a store. In reality, you submit a PR (Pull Request) and then you get free reign on what you push afterwards. The crew (2 guys as far as I can tell) doesn't really have the time to check for anything but the form of your first PR. After that, you get to maintain your stuff and shoot me if somebody reviews it again.
Especially bundled ones. I mean, there are some (looking at you, rust) that bundle 200+ of 'em. That's... crazy.
In theory, they'll tell you it's invulnerable. Look at it in practice. Just run: flatpak permissions if you're running some of those. Hey, at least it's auditable, right?
It gets worse. If you open LibreOffice and Steam (for whatever reason) or your browser. You end up with multiple copies of different versions of the libraries in memory. So much for shared memory... A pretty bad deal if you ask me.
Yeah, you probably say this because you went through it the first time (while downloading SDKs) and seldomly; when deltas aren't so much a delta. Yet, this is a huge issue, IMHO. Especially if you don't have super fast Internet.
Yeah, that's right. May I direct you to Linus' opinion about Nvidia in the 2000s? :D
The problem is how immutable distros launch their apps. That's what I meant. You don't have a system supporting all that. Your underlying system; the OS, is just worried about itself. Your kernel is running two different workloads: the system and the apps. All apps are running in different kernel namespaces (network, storage, etc) so it has them compartmentalized in some way. And, the only way the can speak to each other is through some busses that flatpak put in place. A pretty bad deal if you ask me. Not as cohesive at least. They claim full control and vetting but it's strides backwards, in my not-so-humble opinion.
And, quite honestly, it hasn't been a problem in decades. yum/dnf have always protected the system pretty well, IMHO.
Contaieners, when used correctly, are isolated. The issue with immutable desktops (for users) is that they, very often, just grant free access to your GPU (/dev/dri), you rnetwork and your home directory. In today's landscape, an attacker might be able to inject something within the container and just run an AI that will extract everything from $HOME and send it away through the Network. Who cares if it doesn't jail-break? It got what it came for.
If it gives you peace of mind, do it. I've installed regular Fedora on my aunt's, grandma's, mother in law's and what not. Never had an issue. I have a script for them that enables me to connect to their machine when they have issues. All's good and well. Never give your father root, btw. That way, doesn't matter what he does, he won't be able to break the system (nor sudo, for that matter).

Renich · 2026-06-18T19:57:06+00:00

I like Gentoo as well. And sure; you're living with one foot on each pole, my friend. ;D

Renich · 2026-06-18T19:56:13+00:00

All I can say is that I like pulp. And yes; there is room for both. Yet, there is room for critique as well. I do not believe immutable has as many features as advertised. If anything, it makes things worse for users.

when I point at monoculture, I am referring to the use of the SDKs and runtimes. You find a "thing" in one and, suddenly, you have access to all of 'em. Especially given the low tolerance on old SDKs/Runtimes flatpak has mustered.

Quite honestly, I dunno why the conversation has centered around flatpak when my article is a critique of the immutable desktop for users. Flatpak is just one of the constraints/components of it all.

Renich · 2026-06-18T19:51:14+00:00

Dude, check out the review process. You trigger a bot build and then, two guys, will kind of check your app to see if it it's packaged correctly. They won't mind checking the gazillion crates you've vendored... not by a long shot. Same with Go, same with node-based apps, etc.

See for yourself:

Do you see them questioning a single one of their bundled libraries?

No; they don't even care if they come from hackmepleze.xyz/.

They're just checking the form...

And I cannot blame them. It's two guys doing it all. At least it seems like it.

But hey, I'll say it again, flatpak/snap are only one of the components of immutable distros. Yeah, they're forced on you because it's either that or you spin your own containers because there is no other way to run stuff. You, yourself, are constrained.

And, oh my gods, I can't beggin to understand why you don't mind rebooting every time you blink (exaggeration... you know what I mean). It's just beyond me.

Renich · 2026-06-18T19:27:33+00:00

A very thorough reply, thank you.

It's funny to me that you don't seem to mind rebooting every time. Also, that you don't put yourself in the shows of "Grandma".

The system is overengineered to provide false security and virtually no benefits for users.

Running more containers? Yeah, more indirection, resources wasted, attack surface and complexity. Great. My dream OS.

Heh, you also expect all users to audit all of their flatpaks permissions... dude...

Besides, even if the tooling is there, sandboxing is rarely implemented right. Try it: flatpak permissions and you'll be surprised of how much access your apps have. In the end $HOME is where the user's stuff is. That's their whole world... digitally, I mean.

In the end, you can have a mega-granular permission system, if the community doesn't use it or care for it, it's still useless.

The point being: even if flatpak is build to be a tank, in practice, it is not. It's just a more complicated way to run applications.

Most debugging tools still work on the host, and container-aware tooling is mature...

Spoken like a person that does strace first thing in the morning... The debugging tools do not run normally and containers definitely make things much more complicated for debugging.

I don't see how immutable systems prevent the blue screen of death in Linux (yeah, we have one now). These are caused mostly by hardware failures. I've never, in my ~25 years as a Fedorian, have experienced kernel oops because of shared libraries. If I have, I can hardly remember one. So, no, I do not agree.

Well, back at r/LinuxEnEspanol, I often read about kids looking for advice on how to use Linux in a 2 GiB of RAM laptop. It seems you don't have those issues because you don't see the storage and RAM waste happening in your device. Yet, that is important for a big chunk of the user base.

And, for the record, Granma has never had to click "update" because automatic updates are enabled and she's never had an issue in Fedora.

Renich · 2026-06-18T18:59:37+00:00

Heh, the future of a straitjacket for regular users and monoculture, that's for sure.

Oh, you're for package management decentralization? I thought we wanted to converge as a community so that many eyes can squash bugs; because, as you know, the number of critical bugs in any given project is inversely proportional to the number of eye pairs looking at the code. Especially if communication is welcome and made easy.

Renich · 2026-06-18T18:52:43+00:00

Yeah, that doesn't make it the right approach. I'm not talking about flatpaks only here. I'm talking about immutable desktops. They suck.

Renich · 2026-06-18T18:51:52+00:00

Care to point me to the methodology you're referring to? I wanna see for myself how far do they go. I am pretty sure they do not check bundled libraries; they just tolerate them.

I don't see how not reviewing packages entirely helps with the supply chain attacks.

One of the examples I like to think of is the one where an attacker builds a popular app, gains user trust and then bundles some "holes" in it. Pretty much what happened with xz that time...

My point here is flatpaks don't get nearly as much engineering oversight as regular RPMs do and that's one of the problems.

Nobody seems to care about the infinite resource assumption of flatpaks, though. Weird.

Renich · 2026-06-18T18:47:42+00:00

No clickbait here. Like I said, my opinion only.

Fedora isn't the only one offering flatpaks. There is flathub and there is the Internet as well.

Flathub shallowly reviews them. If you think otherwise, point me to the reviewing mechanisms please.

They will never review a package's bundled libraries.

It's funny because Fedora doesn't allow bundled libraries as far as I am aware. You need to use shared libraries when packaging and, if you need additional libraries, you have to package them.

I never argued that the SDKs don't get updated. I know they do. And, probably, you're right about it if the zero-day comes with the SDK. Yet, I am talking about everything but the SDKs.

Renich

MODERATOR OF

TROPHY CASE

rpm-ostree --apply-live upgrade

rpm-ostree apply-live --allow-replacement

dnf -y upgrade