cross-posted from: https://infosec.pub/post/15781466
Am I out of touch?
No, it’s the forward-thinking generation of software engineers that want elegant, reliable, declarative systems that are wrong.
cross-posted from: https://infosec.pub/post/15781466
Am I out of touch?
No, it’s the forward-thinking generation of software engineers that want elegant, reliable, declarative systems that are wrong.
Immutable was adopted for Android because Google and the Android vendors wanted to lock down the platform, and because they always distribute their OS images and updates as binary blobs.
It offers no benefits to an open ecosystem like Linux, that you can’t already accomplish with existing security measures.
It offers some benefits to distro maintainers who are only willing/able to focus on the core system and delegate the rest of the software to distro-agnostic packages. That’s definitely an interesting niche and I look forward to it. But please note that whether the core is immutable is completely irrelevant in this scenario.
Generally speaking, if you want to use distro-agnostic packages you can do that regardless of whether the system is immutable or not.
And since we’re on the topic, if we’re borrowing things from Android I would love to have the application sandboxing and permissions. I think they’d be a much bigger benefit – to all distros, immutable or not.
Flatpaks and Wayland should fill out this part nicely.
This often means unofficial builds that aren’t from the developer that sometimes have sandbox specific issues the devs didn’t contemplate because they don’t actually do flatpaks. If someday the random bob who is neither the original developer nor some trusted individual connected to the distro is hacked they may push out a malware enabled update that pwns all the people who automatically update in short order. This doesn’t seem like a security increasing feature.
I don’t think anyone uses immutable distros for security, the main selling point I believe is that you can rollback when the system breaks due to a update, especially when it’s a rolling release
I can do that with Timeshift on any distro