Get the top HN stories in your inbox every day.
jpgvm
struanr
Personally I went from Arch to NixOS and now back to Arch. Whilst I can appreciate the power of NixOS it felt like such a huge amount of abstraction and secret sauce it made it impossible to fit in my head. In addition, the documentation and debugging experience of the Nix language were very poor. Nix shell was useful for trying out programs temporarily, however I found it a poor substitute for native Python and Julia package managers, especially for scientific work where a requirements.txt is useful to a lot more people than a flake.nix
Going back to Arch has felt like a breath of fresh air. Everything is simple, easy to understand and incredibility well documented. Using a snapper pacman hook I can now revert my system to undo updates, which was the main functionality I found useful in NixOS.
sandbach
It's worth noting that the benefits of Nix shell you mention can be enjoyed from the comfort of another distro with the Nix package manager.
myaccountonhn
Nixos is pretty slick for servers. Everything from users to nginx to system services to firewall is defined declaratively in 1-5 files, and deployment is as simple as `nixos-rebuild switch -—target-host deploy@host`.
For me that’s pretty wild. It makes it trivial to have both staging and prod in sync by just pushing to a repo. That means you get a better overview of the system state, and can experiment more freely knowing the machine won’t end up in a weird state. And while Nixos is hard to debug and occasionally hard to write, I find the format very easy to read.
However for my personal computer, I found that it’s overkill and now I just use a dotfile manager and save my installed program names in a list. I do think nix really lacks documentation for very basic things, and for that guix is better (but I found guix harder to write and read).
Timber-6539
I was in similar situation. Arch user that bought the sell from NixOS. It worked great after a painstaking setup (everything you think you know about Linux systems in general is wrong!) and was a joy to use but when it broke, it was a complete mess due to how quirky the whole OS is. P.S There's nothing simple about NixOS and the documentation could use some work.
abc123abc123
I use opensuse leap 15.3 and it just works. No fiddling around and install takes 15 minutes.
Then I have a home cooked backup script that runs daily to a remote server, so in a worst case situation, I reinstall, 15 minutes, and then copy my dot files and other stuff which might take another 5-15 minutes.
So for single person use, or small environments of 20-30 servers or so, the traditional old model works well.
bboozzoo
FYI, in case you missed that, Leap has been EOL since late 2022.
doubled112
Leap 15.6 was released on the 12th of this month.
https://news.opensuse.org/2024/06/12/leap-unveils-choices-fo...
It might be the last OpenSUSE using the traditional release model, but it's not EOL.
leetnewb
To be fair, Tumbleweed has had snapshot/rollback built in and generally triggered at important points for years. There are exceedingly few scenarios where you can't just move to the prior snapshot to get a working system again - talking a minute after failure. Aeon takes it further, but that's where it started. Hard to argue the speed of repairing by rollback vs reinstall.
Also, Aeon has first party support for running cli and gui things in distrobox. You can pull down an OCI container of virtually any distro and do whatever you want in it. Distrobox lets you expose applications from the container environment to the Aeon desktop.
Hypothetically, you could use Aeon as your rock solid core and tinker in distroboxes, including refining the install script to making a custom OCI container. Not trying to convince you - just saying there is a lot of easy to access flexibility there.
AshamedCaptain
I never understood the point of rollback. Suppose you run some upgrade and hit a bug that prevents boot. Okey, you revert, so you can keep running your outdated system. Now what?
It's not like whichever broke your upgrade is going to disappear if you simply try again.
Arnavion
You report the bug and wait for it to be fixed, and meanwhile you have a working computer and can get on with what you originally wanted to use your computer for.
leetnewb
I don't know how familiar you are with opensuse tumbleweed, but it is a continuously rolling distribution with a decent amount of automated testing of each release. At times, there can be 2-3 new releases per week. Sometimes only a few packages are updated in a release, sometimes everything is updated. But figure a couple of times a week, there is a new tumbleweed version.
One of the most common scenarios of breakage happens when a user adds a 3rd party repo that at times lags behind the Tumbleweed release cycle. Libraries and application versions suddenly conflict and the user could have a partially or fully borked system. A rollback to the last good snapshot makes a lot of sense - the 3rd party repo will usually catch up in a day or two, and the update that previously broke the system can be safely applied.
spookie
To understand rollbacks it's better to assume the user has itself borked something rather than the system. You don't necessarily rollback to previous package versions, just to the last state everything was working.
Sure you can fix whatever you did wrong, but that might imply quite a few things and take time. If you go to the snapshot prior to your changes, it takes a lot less time (just a reboot), less guess work, and you can continue working from a blank slate.
jpgvm
Yeah I should give Tumbleweed a try at some point.
It's hard to give up the Arch PKGBUILD system though, it's an even simpler ebuild which was originally why I loved Gentoo so much.
bboozzoo
I'm always puzzled how folks praise PKGBUILDs when it's mostly irrelevant for a regular user. Unless by 'PKGBUILD system' you mean AUR, a place where random people push random build scripts and other folks are happy to execute said build scripts locally, quite often without any real sandboxing or even a quick glance at the actual code.
qludes
With Tumbleweed (and probably Aeon) you can use factory/open build service to build your own packages. You could even fork Aeon or MicroOS and turn to that into something like a customized Arch Install that also benefits from whatever automated tests Tumbleweed comes with.
kenmacd
> I just haven't found the motivation yet.
I moved from Arch to NixOS. In case it helps these are my main motivations:
* In Arch, very rarely, I'd apply an update that would break things. Going back to a stable system was a pain. I ended up with some snapper setups and a list of commands to convert the latest snapshot to a r/w 'root' that worked well enough. With NixOS I just reboot to the previous generation on any issue.
* For development I'd often use third-party tools to manage multiple language versions. For example I used pyenv. With Nix it's much easier to just use python39, or nodejs-18_x, or whatever as Nix makes this really simple.
If you do decide to try it out I'll recommend using the github query 'path:*.nix ___' to copy off others, as the main complaints about Nix seem to center around the language.
m1n7
i think it's possible to have both. we just haven't decided how to implement these improvements, that's why we see so many different immutable/snapshot/… distros with lacking ux — for now
fao_
> i.e I think it's easier to repair or replace a simple system than it is to try work out how to do novel things on a complicated but safe system.
I mean, that's the point. If the configuration of the machine is declarative it's easier to replace it with a duplicate that works. Declarative in this context literally just means "the entire state is declared in a way that you can roll it back"
bjoli
I run it for the base system, and then use gnu Guix for the rest. I don't have time to deal with a system that changes under my feet. Being able to rollback both the base system and userland has saved me twice. It also means I can use one tool for userland things instead of both distrobox and flatpak.
Until I am smart enough to run guixSD completely this feels like a decent compromise.
BossingAround
Whenever SUSE is mentioned, I remember their songs, e.g. how to pronounce SUSE: https://www.youtube.com/watch?v=nLdexZlVkAY
fileeditview
I mean the song is funny but it's hilarious that they still mispronounce it.. he constantly sings susAH instead of susEH .. how it should be pronounced, at least if you pronounce it as a German word.
artificial
“Zooz-eh” for English speakers who are curious: https://translate.google.de/?sl=auto&tl=de&text=SUSE&op=tran...
dingnuts
the only guy I've ever known to correctly pronounce SUSE was an older fellow who was, towards the end of the 00s, pronouncing "Ethernet" with a short e, as though it were to rhyme with "meth"
anyway, that's why I'll always call it Soos even if I know I'm wrong
that guy probably also pronounced it "GIF" but it's been too long to say for sure
moffkalast
And I get reminded of amogus.
LorenDB
There's also openSUSE Kalpa, which is like Aeon but with KDE Plasma instead of Gnome.
throwaway89988
I tried out Aeon a while back and mostly liked the idea, but not so sure about the execution.
First, last time they had no firewall and the main developer thinks a firewall is not needed. I disagree strongly and won't run an OS w/o firewall. (https://forums.opensuse.org/t/micro-os-suse-aeon-compared-to...)
Second, getting everything from flatpak would be a good idea, if the software I need would be available as certified flatpaks. Downloading random flatpaks is IMHO the same as downloading random executables.
Third, the AARCH64 version is not distributed anymore (this was the version I tried/used), AFAIK because the initial install script could not download the non-existent Firefox for AARCH64 flatpak (thanks Mozilla).
In the end I still like the idea of Aeon and hope they change their positions concerning firewalls. Points two and three are obviously not Aeons to fix, so I hope we as a community (and Mozilla) get there in time.
thoroughburro
I use a MicroOS + wayland + sway and friends setup, since I don’t like big DEs. I completely agree with you about needing a firewall, but it was an easy fix to continue taking advantage of all the good parts:
sudo transactional-update shell
zypper in firewalld
[setup as you like]
exit
sudo reboot
BossingAround
I understand what you're saying, and I understand the maintainer's POV. But, nothing prevents you from installing firewalld, right? It should just work.
deknos
i agree with the flatpak, sadly this will probably not change.
BUT! if you are a developer, you could run with distrobox graphically applications from the distrobox from OpenSUSE!
I am starting to use this on tumbleweed and there are even "exporters" so the app in the distrobox will be exported to your application menu on the metal!
jacooper
Does that app have access to a full terminal ? Like if I install vs code inside distrobox, will it have access to the systems or the container terminal?
athrun
the firewall question is interesting. I guess I understand their perspective: If nothing is listening/running then what’s the point of the firewall? The system is immutable so the security posture is a known quantity and cannot change at runtime. You could argue that running an additional firewall service would actually be increasing the attack surface, in the sense that more code is worse than the absence of code.
Not sure I agree with their stance, but good on them for having the courage to revisit some our default assumptions. Some decisions will work out and others they’ll have to finetune.
throwaway89988
The base system does not need a Firewall, according to them, and they might be correct about that or not.
IMHO the point of having a firewall which simply denies all incoming connections is, that once a user starts installing a few programs, sooner or later some of them might open ports, even w/o malicious intent.
If they want to provide an easy to use and secure system, IMHO there should be a firewall and each port has to be opened explicitly.
In the end, this is really down to opinion and there is no objective true answer, so I'd rather use Fedora-Atomic if I need immutability.
raesene9
I can see where the no firewall argument is coming from and definitely on my own Linux laptop, I try and keep the number of ports listening down as much as possible, but it is tricky and it requires a lot of vigilance as sometimes applications you wouldn't expect to, will start services. Things like Spotify and Steam can open ports.
So having a firewall running can provide a bit of extra protection in case you don't always check to see what ports you have open/listening.
theodric
What's the benefit to a traditional consumer application of opening ports these days, besides maybe for local network data exchange (which, I assume, is what Steam does since I know it will sync game updates between machines on the same subnet). I would hazard that the global number of laptops and desktops with public IPv4 addresses in 2024 is probably in the triple digits, given that basically every provider I'm aware of hands off with a "Wi-Fi modem" that converts whatever weird delivery medium (fiber, DSL, cable, etc.), gets its own maybe-public IP, and does NAT for clients. Hell, I don't even have my own IPv4 address since Starlink does CGNAT.
winrid
does "getting stuff done" include having the Gnome password prompt consistently lose focus and send your password into background applications because it does that a lot
brnt
I _would_ like to know if they'd gonna make a KDE spin. Opensuse used to be all about KDE.
itsZero
It’s already here: openSUSE Kalpa. Daily driving it!
johnny22
You don't to wonder, you can just look it up and find out that they did, right when they started this whole concept.
brnt
openSuse haven't made it easy. Turns out both are an option of the MicroOS installer. I'd not call that a separate distro, but it seems to have product pages like that.
undefined
sysrich
I’ve never had that happen.. what password prompts are you referencing?
curt15
Looks like it uses btrfs for everything. Btrfs performs notoriously poorly for VMs and databases without the "nocow" hack, which is a no-no for raid1 setups. What should I do if I'm an Android developer who frequently tests code in Android VMs?
Rinzler89
Separate root and home partitions brother. As in, keep root on BTRFS for rollbacks and keep home on extf4 where you keep.all your dbs and VMs. This way you get best if both worlds, no need to mess with nocow parameters.
yellowapple
I've been using (what eventually evolved into) Aeon for about a year now on my primary desktop and it's been absolutely perfect as a daily driver, especially with some choice GNOME extensions like PaperWM.
Unfortunately, the switch to the new Tik-based installer resulted in a loss of full-disk encryption support, so until that gets re-added I'm in a bit of a pickle when it comes to installing it on any future machines (including my shiny new Framework 16).
kombine
Tumbleweed is a very solid distro, one could also use it as an "immutable" distro by installing the software from Flatpaks and distrobox. Been using it for more than a year after a decade on Ubuntu.
JHonaker
The fact that I can go months without updating a rolling distro and things very rarely break is incredible. Tumbleweed is rock solid. (Personally, I've never experienced a break, but I know one just happened for a lot of people. Granted, I believe it was Nvidia or Mesa drivers at fault.)
jacooper
I found zyppet to be quite slow even compare to DNF which is notorious for being slow.
Also it's not very well supported in the community, I guess distrobox fixes this.
littlecranky67
Feels like a step backwards that I have to reboot the system for every update.
sysrich
Only for the updates of the base OS. Updates to flatpak apps and distroboxes don’t need an update
And the actual download and install happens in the background before the reboot
So a 20 second reboot is hardly a huge cost for a much more solid update mechanisms
mikedelfino
I'm not the person you're replying to, but what annoys me about this on Fedora is that I use full disk encryption in my notebook, so I need to type the password after the reboot for the updates and then one more time to get it running again. I wish it could deactivate all services and somewhat return to a state similar to early boot in order to apply the updates, rebooting only once afterward. This would be especially useful for shutdown updates, in which case no password would be necessary.
jpeeler
I was hoping that systemd's soft reboot function would help a lot here. It would make it unnecessary to request password when using full disk encryption and would require less downtime. Last I checked it didn't work in Silverblue though.
dorian-graph
Which update? The design of the system is so that there's minimal things installed that require a layer update.
billyzs
if kernel is updated the OS would have to be rebooted anyway unless live patching is configured. Rebooting after an update is probably more common & less annoying than one would think.
BossingAround
The same applies on Steam Deck. This is a thing with immutable systems.
KolenCh
I use OpenSUSE Leap with transactional server, which is another immutable distribution by SUSE. I run it on my storage node primarily serving a ZFS pool over the network. This means the server is more like an appliance (NAS) and this immutable setup is a perfect fit IMO.
I suppose I could have use Aeon instead? But I like having OpenSUSE Leap across the fleet too which others doing more heavy lifting.
aitchnyu
Has anybody tried Spiral and Gecko? Same developer adapted Debian Sid and Suse Tumbleweed with btrfs snapshot after each install. How did they/similar systems work in practice for you?
Get the top HN stories in your inbox every day.
I feel like most of these systems tradeoff too much simplicity.
I've been using ArchLinux for ~14 years now, previous to that I used Slackware and Gentoo. IMO it's better to be simple, yes there aren't any guarantees but worst case scenario I can rebuild, run my install script (which might require a few tweaks if it's been a while since I setup a new system), push new keys etc and then I'm up and running again in ~15 mins. i.e I think it's easier to repair or replace a simple system than it is to try work out how to do novel things on a complicated but safe system.
I intend to try NixOS at some point as a foray into these more complicated but "safer"/transactional/immutable/deterministic systems but I just haven't found the motivation yet.