Immutable Operating Systems Won’t Make Your Data Secure.
(But they will annoy you.)
Immutable operating systems seem to be what all of the “cool kids” are talking about lately, but what are they?
Essentially, an example of the concept is Fedora Silverblue.
The file system root is mounted read-only, and operating systems become a “giant image” where the thousands of packages brought to you now through your distribution in a native packaging format such as RPM or DEB packages, are replaced with a modified packaging tool like “rpm-ostree”.
The issues brought about by this sort of a change are that the user can’t hold back particular updates, install only critical security updates (like Fedora users today can with dnf update –security), or update a few packages that need to go in right now, like a new Web browser, and keep everything else back for a while, or selectively back out a kernel that’s doing something odd until later on, but keep all the other updates.
Updates using rpm-ostree are transactional, in that they either fully succeed or entirely fail, but that doesn’t guarantee you have a perfectly functional system. It only means that the packages installed successfully. I can’t remember in decades of mostly using RPM distributions, when an RPM last jammed up and wouldn’t go in.
With rpm-ostree on Silverblue, you can still get buggy components, and the only thing you can really do to revert them is roll back the entire OS image, complete with other updates, which may be for security issues.
Needless to say, this is not a long-term solution any more than holding back a kernel, but now it covers your entire operating system!
Fedora has so much update churn, that if you use a system like this, then to put any updates into actual effect, you will be constantly interrupting your computer to reboot.
rpm-ostree supports “package overlays”, so yes, you can install RPMs and even RPM repositories, and the new packages get overlaid onto the image of the OS in the “RPM layer”, however, every time you install a package this way, you will need to reboot.
Red Hat’s answer to this is “You’re supposed to be using Flatpaks.”, which at this point, are not really fully available from Fedora Flatpaks, and not actually ultimately trustworthy as an authoritative source of software from Flathub.
Fedora has a feature proposal coming that will provide the user with full access to an “Unfiltered Flathub”, and they are dropping support for some RPMs, like LibreOffice, entirely.
So it seems to me like they’re gearing up to force everyone to nuke their Workstation install and go “Atomic Workstation” (the former name of Silverblue).
This will be highly disruptive to Fedora users, and since they’re going to have to reformat anyway, I think it’s a good time to just leave if you’re no longer interested in a distribution that doesn’t take usability and desktop users seriously (because IBM doesn’t).
Some Flatpaks do indeed work fine, most “appear” to work fine initially and then you find out later that the “Sandbox” actually breaks things. Sometimes the breakage is just annoying, sometimes it puts a real crimp on what you want the program to do.
For example, with OpenRA, you can’t install community mods into the games, so you’re going to need the AppImage files (a different universal program format for Linux I’ll get to later).
With GNOME Web (Epiphany), I tried to use the Flatpak on KDE because I think WebkitGTK is a pretty good rendering engine.
It makes pages look fantastic, but the Flatpak was completely broken and wouldn’t connect to Firefox Sync, which is also unfortunately the only way to bring in bookmarks and passwords without importing your bookmarks as an HTML file and the passwords one at a time. I currently have about 450 passwords in my browsers. I can share them between each browser in a CSV file. Web can’t import in this format.
They chose to depend on Firefox Sync, which doesn’t even work at all in the Flatpak.
When I installed GNOME Web through Flatpak in my Chromebook, it had the same issue with Firefox Sync. Apparently, it just needs something from GNOME, I believe, that they’re not putting in the Flatpak.
With Firefox in Flatpaks, sometimes the font rendering is broken.
Mozilla still hasn’t looked into this, four years after the bug was filed.
I gave up. But if that wasn’t enough, the “Sandbox”, which lets the browser download and execute files, but only in “Downloads” (So don’t worry, the malware can use that, but the rest of the file system is supposedly safe, so hooray!?), breaks Video Download Helper.
Video Download Helper requires a “CoApp” program to deal with HTTP Live Streaming sites. It probably also breaks other things that need a Native Helper like the extension to put Gopher support back into Firefox. (I didn’t check.)
When I tried to remove the file system “Sandbox” so the Firefox flatpak could fine the CoApp, the application stopped paying attention to its folder in ~/.var/app and wrote into my /home folder where non-Flatpak Firefox usually stores new profiles, caches, and settings. Ugh.
Using Flatpaks is aggravating because the “Something something security!” people have amazingly left almost all the attack surface, yet declared there’s a “Sandbox”, and because of the “Sandbox”, many applications come close to working, but no cigar, unless they don’t actually have to do very much.
Even Debian’s Wiki page about Flatpak has a section on Security concerns about the format, which leads to Flatkill.org.
Flatkill was last updated in 2020, and very little had changed. Most of the platform Flatpaks have old libraries that don’t get security patches, sometimes for nearly a year after a security hole is found.
Debian says that one reason to prefer Debian packages is because the system library will be patched centrally by the Debian Security Team, but if you use Flatpaks, then none of your Flatpaks pick up the fix unless it’s fixed by Flathub’s copy of the library.
If you use many Flatpaks, Debian loses their ability to protect you from slobs at Flathub who ignore security patches for their code libraries. Debian can only fix Debian’s libraries.
It’s fundamentally the same with every distribution, but when you use Fedora Silverblue or another immutable OS, and everything is a Flatpak, all your applications become vulnerable to Flathub’s slovenly security practices.
So you can imagine how horrible it must be to try to administer “Silverblue” or anything going down that path, like SUSE ALP probably will.
So this is why I said “Screw it!” and installed Debian. I don’t know if they’ll go down this particular path of errors, but if they do, I’ll use something else. We’ll cross that bridge when we get there.
This “immutable” file system garbage forces the user to run “containerized applications” which only causes a different disaster to actually happen.
Unpatched libraries piling up. Lots of them. Like Windows.
While I was initially supportive and enthusiastic about Flatpak, the more I’ve learned, seen, and experienced has shown me that it should really only be a supplemental source of software for when your distribution refuses to package something you want, or you need a later version than they have.
I myself have never had more than about 10-12 Flatpaks on the entire system, and that’s with thousands of RPMs or DEBs.
Another issue I’m seeing with Flatpak is that it seems to be an outlet for IBM/Red Hat’s anti-X11 propaganda.
They’ve already declared it a “Legacy Window System” even though Wayland is unstable and not feature-complete enough to use for any desktop other than GNOME.
In IBM’s world, everything except GNOME (which is sort of their corporate sewer), doesn’t exist.
KWin is a fantastic window manager. It also supports X11 better than Wayland. The IBM propaganda and troll army has already declared Wayland to be everything you need, even though in the background they quietly do thousands of patches to XWayland which have no relevance to Xorg Server running as the windowing system natively.
It’s very important to them to get XWayland into better shape because most software developers have assigned little to no priority to actually supporting Wayland itself, and using Wayland directly will destabilize many window managers, and make X11 applications fail to work properly. (Even on GNOME.)
So, since Wayland is making everything I do function worse, also having this propaganda about X11 in Flatpak is just making me cringe about Flatpak more.
But isn’t some “security” better than none?
If it doesn’t get in the user’s way and if they actually fix it when it does, hey, I’m all for it.
But creating a problem by solving another, smaller, problem, is not “security”. It just changes the type of danger the user is now in.
Discretionary Access Controls are something so fundamental and basic, that Microsoft basically made them unworkable until Windows 7, and broken from Windows 7 onward.
But we are supposed to let them have a pass and complain about every local privilege escalation bug in Linux?
Just fix them! Fix them as they are discovered.
Making the file system root read-only on a general purpose OS will piss off administrators, but it won’t substantially add any real security to a desktop system.
Unless you have a very narrow use case, like an embedded or server operation, or something like Tails where the user is supposed to be in a live environment that gets cleared from main memory and wiped anyway, and shouldn’t be going around installing things, and making the thing tamper-resilient is the use case because it won’t harm the appliance anyway, immutable file systems and containers are somewhat overrated.
This is an example of “Justify your use case.” being ignored by the people who tend to say it all the time themselves.
Most malicious software is more than happy getting to a place where it can spy on the users or encrypt their data and make demands for payment to get it back.
Like what’s so common on Microsoft Windows.
You can do a lot of that damage even with the Flatpak “Sandbox” (which the author and the user both control, so there may not even be any Sandboxing to speak of), and a read-only file system root.
About half of the most popular applications don’t even have the “Sandbox” on to a meaningful degree, on top of the rotting libraries issue.
Most “cross-platform” malware is actually a malicious browser extension that gets overlooked by Google.
They’ve let the Chrome Web Store turn into a malware author’s paradise. They remove some every now and then, but there’s always more.
You shouldn’t “install all kinds of extensions”, especially ones under a proprietary license, where the author cannot be verified to have put it there, or things you don’t absolutely need.
Most attackers aren’t really trying to screw up your computer.
In the 1980s and 1990s, when you got a computer virus, it was something some bored asshole did to mess up your machine. They were just malicious and laughing to themselves about being able to trash a lot of people’s computers because they stuck in a floppy disk and ran the wrong program. Sometimes the goal was to just make the computer do something really annoying.
Now, they’re trying to make money, through adware, keyloggers to steal bank info, etc., which they can do through Chrome extensions.
None of this “Silverblue” stuff will protect you from that. You have to use your brain and limit your exposure.
Putting the Web in a position where it has become so overgrown that “visit page, get pwned” is even possible, is the doing of Google, Apple, Microsoft, and Mozilla.
Recognizing malware in a browser’s extension store faster, and pulling it out, is where Google and other browser makers could really do some setbacks.
Crippling an operating system to deal with those threats is inappropriate.
Immutable operating systems also don’t do anything about potential ransomware that may want to run in the area of the file system the user controls, because that’s where their files are.
You know, call me old fashioned. One of the things I like about updates being deployed through individual packages is, as the owner of the computer, I like to have some say in what gets pulled in, and when is a convenient time for a reboot.
Not offering the user individual updates and letting them apply “only security”, or “security plus this issue I’m having”, is partly how Windows got to be as much of a mess as it is now.
Where every month Microsoft craps out an update several hundred MB big, and then breaks things, and “uses telemetry” to see how it went for whoever was unlucky enough to get it first.
I really don’t like to be pissed on and told it’s raining.
If you want to do an immutable OS with Flatpaks because it’s easier for you as an OS vendor to point me to semi-trusted packages that all don’t work to some degree and have rotting libraries and partial-sandboxing, and give me mega-updates that are all or nothing, and “Don’t worry about what’s in them, you’ll find out…”, then just say that.
Please don’t tell me you’re “Securing” my PC.
Real security is “trench work”. It means fixing bugs and immediately rolling out patches.
Flatpaks can never be part of a concept like this as long as the people behind it don’t want to package new libraries quickly, and nobody is willing to tell application developers “fix your program”.
I’ve had an amazingly long 25 year malware-free Linux experience.
I have a difficult time believing I’ll suddenly run into something tomorrow if I don’t deploy an “immutable” OS with Flatpaks-only.
However, what Fedora Silverblue users will find staring them in their face when they open “unfiltered Flathub” in GNOME Software, among other things, is a gigantic piece of trash, and keylogger, packaged by free (to Microsoft) labor, called Microsoft Edge for Linux along with 600 other pieces of really dodgy proprietary software, like Zoom.
Have fun with that.
Or you can join me in moving to whichever operating system doesn’t seem to be showing interest in going in this direction.
For what it’s worth, I don’t think there’s any strong community interest in containers, Flatpak, or immutable distributions. All of the immutable distributions I know of that are purported to be of general purpose use are maintained by corporations.
I think they might sound better on a “whitepaper” on the desk at an IBM boardroom meeting than they perform in practice.
In a Chromebook, all of Debian is in a container, but Debian itself is not an immutable OS or trying to restrain what the user can accomplish in the container.
Google has also bridged the container to the main OS so that the user can share files and other resources with the Debian system. Perhaps Google’s model is the best example of a containerized product on the market for average users, but they don’t have it set up the way that Silverblue and other “immutable Linux distributions” are trying to go.
I believe that, contrasted with IBM debauching the Linux experience, Google has provided a successful example of how containerized operating systems actually can add an incredible amount of value to a product.
When I bought my first Chromebook, it was just a Web browser. It couldn’t do anything else, couldn’t even print with it.
A “Google Cloud Print” thing came up and told me my printer was useless and I’d have to buy a “Google Cloud Print” printer and hook it up to my network, so I was stuck printing to PDFs and sticking them on a thumbdrive for the library’s copying machine.
Microsoft, of all companies, even made an advertisement mocking them for being “basically a brick” without an Internet connection. (With the cast of Pawn Stars.)
With support for CUPS and Debian, Google has made the Chromebook a Windows PC-killer.
Even my spouse, who has no interest in administering a computer, is a Debian user now thanks to the Chromebook.
We don’t even use Chrome on it. I set it up so it has other browsers by the way of Android and Linux.
I think it’s kind of neat that Google realized people were walking away, but you can get OEMs the marketshare they crave if you just sell the customer an entire computer.
After it reaches end of life in a couple years, I’m going to perform some surgery and put Chrome OS Flex on it. ⬆