At this point, I should probably start writing blog posts about using #libostree ...

I've done a lot more research now into how various #immutable #Linux distributions work, and it seems like the ones based on #libOStree (like #Fedora Silverblue) are the ones the offer the added security I'm primarily interested in, because the core of the OS for those ones is based on an image produced by automated build systems which is literally unchangeable in any way except by replacing it, it's completely immutable and read-only, and then if you need to install new system packages they are installed as discrete and always hygenically-separated layers *on top* of that core image like an onion's layers, and they're always tracked and known and can only be done based on distribution packages, and so can't be arbitrary changes anyway. So if an attacker got root access they would not be able to modify or compromise your core system or any of the previous layers they would have to add a new layer that added some compromise stuff on top but they have a difficult time doing that by just installing packages and even if they did it would be really easy to see and remove and know that the core and all the underlying layers were still intact.

Meanwhile, the way #openSUSE #MicroOS Desktop/Aeon does it through btrfs, where the core OS file system is mounted read-only at boot time, but you can make changes by essentially opening a shell into a new snapshot, making changes there, and then booting into that snapshot next, doesn't offer those kinds of guarantees. It's still conceptually immutable bc it works basically how pure functional programming handles things, modifying data structures by copying them and switching references to the new copy, and it *does* still have the benefits of all changes to the OS of any sort being tracked by snapshots and transactional/atomic, as well as being able to apply updates as snapshot binary diffs that you rebase your manual changes onto (I think?). But it means attackers can still make arbitrary changes to your system if they get root access, and it may be hard to know which snapshot to revert since they're just numbered. Or they could even just delete all previous snapshots.

The problem is, I don't want to move to Fedora Silverblue to check it put because I vastly prefer the open-QA'd, synced-by-24-hour-cycle, rolling release model of openSUSE #tumbleweed, there's nothing like it.

Tumbleweed Snapshots Are Steadily Rolling https://news.opensuse.org/2019/02/21/tumbleweed-snapshots-are-steadily-rolling/ #applicationsvirtualization #kdeapplications18.12.2 #frameworks5.55.0 #packagemangement #Announcements #makedumpfile #cups-filter #firefox65.0 #imagemagick #ktexteditor #Tumbleweed #WeeklyNews #fontconfig #plasma5.15 #GNOME3.30 #libostree #python3.2 #autoyast #kerberos #kwayland #flatpak #github #Kubic #arm64 #GlibC #Linux #x.org #xf86 #yast #3.3 #KDE