Isn’t immutability related to the root filesystem being read-only? I can write on my root filesystem, even if it’s mostly links to the store I can replace those links.
Isn’t immutability related to the root filesystem being read-only? I can write on my root filesystem, even if it’s mostly links to the store I can replace those links.
Yes, or use flakes which gives you a lockfile pinning everything. But this is related to reproducibility, not immutability.
I’ve had NixOS absolutely refuse to run some compiler toolchain I depended upon that should’ve been dead simple on other distros, I’m really hesitant to try anything that tries to be too different anymore.
Yes, some toolchain expect you to run pre-compiled dynamically linked binaries. These won’t work on NixOS, you need to either find a way to install the binary from nix and force the toolchain to use it or run patchelf
on it somehow.
Well that was an approximation to keep it simple and disprove the given example. There are other directories in the root filesystem that are in the path by default, or used in some other critical way (like /etc
). Even if they are links to directories in the nix store you can replace the link.
These seems to be related to flatpak, not immutability.
What namespace are you talking about?
To be honest I don’t know these very well. I only use NixOS. My understanding is that in an immutable distribution the root filesystem is read-only. Granted in NixOS the nix store is immutable and most things in the root filesystem are just links to the nix store, but the root filesystem itself is not read-only.
I’m on NixOS right now and just dropped a Chewy in my /bin
, only had to sudo touch /bin/chewy
.
if it’s being read from, it can be written to.
Why would being able to read imply being able to write?
Having an extra step or two in the way doesn’t make it “extremely secure”.
Well it can greatly improve security by preventing a compromised app to achieve persistence.
The store is immutable but the system itself definitely isn’t.
You can destroy it all the same with cp
or cat
.
Be careful and keep a backup, I’ve read so many stories of Apple deleting people music randomly.
without being pwned
How do you know?
While the code being open is good you still have to rely on trust.
I certainly don’t have the time to review to code of each extension I use. And even then, we have no garanties that the extension distributed through the browser stores has the same code.
You can see the issue was opened on august 18th but the responsible commit was only made on the 19th. So the code was pushed the extension users before it was made available on the repository. Open code is of no help here.
It just showed the developer is not to be trusted.
I agree, there are a bunch of annoying limitations. But it’s better than nothing. To me the best vim based browser is qutebrowser, too bad it’s using chromium.
Well in the end I think I’m needlessly nitpicking. It doesn’t matter if it’s strictly immutable or not. What matter is that it has the good parts of reproducibility, immutability and declarativity.