I’ve heard of immutable OS’s like Fedora Silverblue. As far as I understand it, this means that “system files” are read-only, and that this is more secure.
What I struggle to understand is, what does that mean in practical terms? How does installing packages or configuring software work, if system files can’t be changed?
Another thing I don’t really understand is what the benefits as an end user? What kinds of things can I do (or can be done by malware or someone else) to my Arch system that couldn’t be done on an immutable system? I get that there’s a security benefit just in that malware can’t change system files – but that is achieved by proper permission management on traditional systems too.
And I understand the benefit of something declarative like NixOS or Guix, which are also immutable. But a lot of OS’s seem to be immutable but not purely declarative. I’m struggling to understand why that’s useful.
It depends on how the immutable distro works, but on immutable Fedora directories like /usr/local, /var and /etc are mutable like on any other distro.
They do some merge with /etc and the defaults, but I don’t know how that works. By keeping the defaults somewhere it’s possible to compare your /etc to the one you’d get with a fresh install.
Packages can be layered through rpm-ostree, which is slow but the result is pretty much the same as installing with dnf. But the better way is to use flatpak for gui apps, and distrobox for cli tools and development. I personally recommend making the terminal open a distrobox by default.
OpenSUSE MicroOS is more similar to a traditional distro like Arch + btrfs snapshots. It doesn’t do as much for solving the unknown state problem, but it is more open to tinkering (which might be good or bad, depending on the use case).
Immutable distro often only means that the system won’t change while running. Changes are applied on next boot, which solves problems for complex software. E.g. Firefox might crash or doesn’t allow opening new tabs because updated files are incompatible with running software.
Agreed, I also don’t understand why security is talked often with immutable distros. In Fedora’s rpm-ostree case it’s more difficult to change a binary in /usr/bin, but putting malware in /usr/local/bin works like on any other distro. And root isn’t even necessary to add to .bashrc.
And even if it wouldn’t allow for executing untrusted binaries, (whatever that means,) the attacker would have your data anyway. And that’s te reason Fedora Silverblue uses selinux too.