rpm-ostree VS nixpkgs

I definitely agree that immutability offers considerable value in regards to improving security. But arguably it's insufficient to pull the win over mutable Fedora due to the losses caused by the inability to install the kernel-hardened package and the lack of UKI (Unified Kernel Image) support.

Issue: https://github.com/coreos/rpm-ostree/issues/3944

Oversimplifying might have been the most sensible in this context. However, you might have gone a little bit too far as your description fits only NixOS, Guix and distros that utilize rpm-ostree.

here's the documentation of ostree (the package manager)

Now... this was VERY alarming to say the least, so I went online and did indeed find an issue on GitHub.

And there are still some issues with layering. Some packages that don't behave or follow standards will modify files in /usr/local, which isn't supported, so you simply won't be able to install them on Silverblue. I think it's the same for /opt as well. (https://github.com/coreos/rpm-ostree/issues/233) This means it fundamentally can't do everything Workstation can, which is unfortunate.

ublue is based off of fedora and rpm-ostree, which is what "CoreOS" is today.

What happened was old school CoreOS was A/B partition based: https://github.com/coreos/docs/blob/master/os/sdk-disk-parti...

My memory is hazy but here's how I remember it: After Red Hat acquired CoreOS they rebased the entire thing around rpm-ostree, which is the CoreOS people know today: https://coreos.github.io/rpm-ostree/

At the time there was some anxiety in the community as to what would happen, as there was no direct upgrade path from old CoreOS to new CoreOS. Theoretically if we all believed the kool-aid we were drinking it's just a redeploy, no pets!

Kinvolk came along, forked it, and made Flatcar Linux, which kept the A/B partitioning system, and more crucially, let you just change a config file and all your old CoreOS nodes would just move to Flatcar and then you were good to go. So now if you wanted to stay on the system you were comfortable with you could just use Flatcar. If the composability of rpm-ostree attracted you then new CoreOS have you covered. Red Hat deserves a hat tip here because in their documentation/blog they explicitly mentioned Flatcar as an option for people who wanted to stick with what they know, which I thought was cool and how I discovered it!

Later on Microsoft acquired Kinvolk and and then people raised eyebrows. I have not checked in a while but the folks involved continued to do their thing and run it like a good OSS project, hold public meetings, all that stuff.

I use both and they're both high quality.

Whenever I was looking at using CoreOS, I was somewhat disheartened that automatic reboots weren't built in: https://github.com/coreos/rpm-ostree/issues/2831. Has this changed? I know zincati has maintenance window support, which would also be nice to have.

Doesn't look like it https://github.com/coreos/rpm-ostree/issues/1091

https://github.com/NixOS/nixpkgs/commits?author=neon-sunset

I see two signers in the top 6 displayed on https://github.com/NixOS/nixpkgs/graphs/contributors

For a single file script, nix can make the package management quite easy: https://github.com/NixOS/nixpkgs/blob/master/doc/languages-f...

For example,

```

Yes, Nix doesn't actually ensure that the builds are deterministic. In fact it works just fine if they aren't. There are packages in nixpkgs that aren't reproducible: https://github.com/NixOS/nixpkgs/issues?q=is%3Aopen+is%3Aiss...

I'm not familiar with Bazel, but Nix in it's current form wouldn't have solved this attack. First of all, the standard mkDerivation function calls the same configure; make; make install process that made this attack possible. Nixpkgs regularly pulls in external resources (fetchUrl and friends) that are equally vulnerable to a poisoned release tarball. Checkout the comment on the current xz entry in nixpkgs https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/comp...

NixOS uses a monorepo and I think everyone's love it.

I love being able to easily grep through all the packages source code and there's regularly PRs that harmonizes conventions across many packages.

Nixpkgs doesn't include the packaged software source code, so it's a lot more practical than what Debian is doing.

https://github.com/NixOS/nixpkgs

In this specific case, nix uses fetchFromGitHub to download the source archive, which are generated by GitHub for the specified revision[1]. Arch seems to just download the tarball from the releases page[2].

[1]: https://github.com/NixOS/nixpkgs/blob/3c2fdd0a4e6396fc310a6e...

[2]: https://gitlab.archlinux.org/archlinux/packaging/packages/ib...

True, but irrelevant -- _some packages_, _somewhere_, do depend on xz, which, if built, requires pulling the source from GitHub (see the default.nix: https://github.com/NixOS/nixpkgs/blob/nixos-23.11/pkgs/tools...)

It's not the vulnerability that's a problem right now (NixOS was protected by a couple of factors) but rather GitHub's hamfisted response.

That is the problem.

We’ve noticed that some users have been asking about how to use older versions of Terraform in their Nix setups [1, 2]. This is an example of the diverse needs of people and the importance of maintaining backward compatibility. We hope that nixpkgs-terraform will be a useful tool for these users.