I feel like inmutable distros are in a quite good state nowadays, and while solutions like bootc and sysexts are not “mainstream” yet, it’s getting there

when it comes to getting non Flatpak packages, things get interesting, there are a lot of options, really

AppImages, statically linked binaries, tarballs, OCI containers, distrobox/toolbx, Homebrew, VMs, Nix even experimental formats like RunImages, AppBundles and FlatImages

if you need some non-system level package, you’ll have a way to use it yet, still it seems sort of chaotic “which one should I choose? how will I be able to easily manage them?”

GPM, dbin, Soar, AM… and the list goes on

and it’s okay, the so called cloud native approach is still evolving, so this fragmentation is expected so it’s nice to share opinions about this while we’re living this interesting phase any thoughts?

  • boredsquirrel (he)@slrpnk.net
    7·
    16 hours ago

    All of the methods have big issues but I would still prefer them over messing with a mutable system

    • snap is likely the most secure by avoiding user namespaces, using AppArmor only and thus being very flexible (also for use for kernels, drivers, browsers …) but it is proprietary, nobody likes it and Canonical doesnt wanna stop somehow.
    • flatpak has the biggest amount of officially maintained packages, but packaging is often really bad, runtime extensions arent really a thing, instead people just put ffmpeg binaries in their packaged and think that is fine. Flatpak does consume quite some disk space and more importantly RAM for the duplicated things
    • nix doesnt have any of these, but sandboxing is hard, there is either stable or unstable, changing and configuring things is very complex. Likely no official packages. Still the method I prefer.
    • homebrew idk? Never tried, mac focused and with more and more linux features like sandboxing. No idea
    • distrobox/toolbox is pretty hacky, relies on entire distros running in parallel with no shared anything (currently, afaik bootc deduplication is kind of planned but kind of difficult too). Updates dont really work so either you go declarative with podman compose or distrobox-assemble, or you use rolling distros. Also they share your homedir by default so they will clutter and mess up your dotfiles which is a problem nobody deals with. Dotfile backup tools exist but are kinda complex. Distrobox has a config but the creator doesnt seem to want to make it the default, neither do downstreams.
    • Appimages just suck, back to the windows way but without developer signature verification (like Windows) or secure updates (like .apk files on Android)

    Also Nix, Flatpak and a few more fully depend on Github. Same with uBlue, Secureblue and a ton of other projects. Really scary actually.

    • MonkderVierte@lemmy.zip
      1·
      6 hours ago

      Looks to me like immutable only attracts the kind of developers/hackers who like to solve things by slapping another runtime on it.

      • boredsquirrel (he)@slrpnk.net
        2·
        6 hours ago

        Immutable in the actual sense yes, it is basically a product and every other software is installed aside from it.

        But you can also have better managed systems like nix or ostree, that reduce entropy or at least make it fully declarative so theoretically finding and reproducing issues is easy

    • overcast@lemmy.zipOP
      4·
      13 hours ago

      my thoughts

      • lol i just completely forgot about snaps
      • Nix can’t be installed in the standard way on inmutable distros :(
      • Homebrew is actually good, it’s exactly like your usual package manager and works with /home as a symlink, however it can take up a lot of storage since it pulls it’s own dependencies and that GCC thing is another one
      • distrobox/toolbx have their usecases, but until things get better it can be used as a last resort
      • and good old AppImages, I think they’re good for slow moving projects and games, but a large amount of them are not really portable, which defeats the purpose of AppImagws in the first place
      • boredsquirrel (he)@slrpnk.net
        1·
        8 hours ago

        Never used homebrew, that doesnt sound good.

        I am trying to use nix and firejail only, but it is pretty rough and barely documented which is kinda insane as firejail is THE tool. Unlike crabjail, bubblejail and what else is out there

    • moonpiedumplings@programming.devEnglish
      3·
      15 hours ago

      distrobox/toolbox

      Distrobox excels for when you need some proprietary tool that ships it’s packages as a repo for Ubuntu but not much else. You spin up a distrobox for Cisco Packet Tracer, or VSCode (the proprietary microsoft one, not Arch’s Code-OSS and Unity.

      Then, once you’re done, you can just delete it all.

        • moonpiedumplings@programming.devEnglish
          2·
          13 hours ago

          If the tarball was dynamically linked against specific distro’s libraries though, then it wouldn’t work on all distros.

          They also often provide RPM packages for Red Hat systems. Not always though, and I use Arch (btw) anyways.

          • overcast@lemmy.zipOP
            1·
            13 hours ago

            really? by the time I needed it, there were only .deb available, and they did not listed all their dependencies on Debian, only on Ubuntu, I had to look for their dependencies and install them manually, what a mess

    • moonpiedumplings@programming.devEnglish
      2·
      15 hours ago

      nix doesnt have any of these, but sandboxing is hard, there is either stable or unstable, changing and configuring things is very complex. Likely no official packages. Still the method I prefer.

      Nix is what I use, and it was frustrating to have to hack a lot of it into place, but I feel like it has the most potential. Unfortunately the flakes nonflakes split, in combination with the split of “distros” like determinate nix, flox, and so on, and the governance concerns really hold it back. It has horrific documentation, for the most part caused by the above (flakes are “experimental” and so can’t be included in official docs), and it is frustrating the lengths I have to go to to make stuff work that should be easy.

      For example, GPU acceleration of Nix packaged apps on non Nixos systems. I figured out how to do it:

      (config.lib.nixGL.wrappers.mesa pkgs.gzdoom)

      source

      But I think it’s just straight up impossible to do this via imperative package installs, outside of home manager. And it’s kind off important if you want any GUI app whatsoever to work.

      But now that I have it working, I use Nixpkgs exclusively and am able to avoid the AUR entirely. To me, the AUR is a last resort, only for something like say, system level printer drivers (thankfully I’ve never needed to install anything to get printers to work). By ensuring that I only use the AUR once in a blue moon, I can make sure that I actually review the PKGBUILD when using it.

    • moonpiedumplings@programming.devEnglish
      1·
      15 hours ago

      snap is likely the most secure by avoiding user namespaces, using AppArmor only and thus being very flexible (also for use for kernels, drivers, browsers …) but it is proprietary, nobody likes it and Canonical doesnt wanna stop somehow.

      Snap does seem to support user namespaces. Although I want to comment that user namespaces are not universally insecure. When an application is confined within a user namespace, seccomp rules restrict it from being able to interact with the user namespaces subsystem, walling it off from the increased attack surface.

      • moonpiedumplings@programming.devEnglish
        1·
        15 hours ago

        They are probably referring to the way that snap, flatpak, and distrobox are available as official packages in most linux distro’s repositories, whereas nix isn’t. I have encountered this frustration for sure. Debian and Arch provide nix packages, but many other distros don’t.

        In addition to this, nix requires manual setup if you install it from the repos, which is annoying. And then you have to do further manual setup to enable flakes, and then you have to figure out how to install packages and it’s not fun.

        So the main way people install nix is via the curl | bash scripts various “distros” of Nix provide.