Bonum Certa Men Certa

Immutable Operating Systems Do Not Really Enhance Security

Reprinted with permission from Ryan Farmer.

Immutable Operating Systems Won’t Make Your Data Secure.



(But they will annoy you.)



Immutable operating systems seem to be what all of the “cool kids” are talking about lately, but what are they?



Essentially, an example of the concept is Fedora Silverblue.



The file system root is mounted read-only, and operating systems become a “giant image” where the thousands of packages brought to you now through your distribution in a native packaging format such as RPM or DEB packages, are replaced with a modified packaging tool like “rpm-ostree”.



The issues brought about by this sort of a change are that the user can’t hold back particular updates, install only critical security updates (like Fedora users today can with dnf update –security), or update a few packages that need to go in right now, like a new Web browser, and keep everything else back for a while, or selectively back out a kernel that’s doing something odd until later on, but keep all the other updates.



Updates using rpm-ostree are transactional, in that they either fully succeed or entirely fail, but that doesn’t guarantee you have a perfectly functional system. It only means that the packages installed successfully. I can’t remember in decades of mostly using RPM distributions, when an RPM last jammed up and wouldn’t go in.



With rpm-ostree on Silverblue, you can still get buggy components, and the only thing you can really do to revert them is roll back the entire OS image, complete with other updates, which may be for security issues.



Needless to say, this is not a long-term solution any more than holding back a kernel, but now it covers your entire operating system!



Fedora has so much update churn, that if you use a system like this, then to put any updates into actual effect, you will be constantly interrupting your computer to reboot.



rpm-ostree supports “package overlays”, so yes, you can install RPMs and even RPM repositories, and the new packages get overlaid onto the image of the OS in the “RPM layer”, however, every time you install a package this way, you will need to reboot.



Red Hat’s answer to this is “You’re supposed to be using Flatpaks.”, which at this point, are not really fully available from Fedora Flatpaks, and not actually ultimately trustworthy as an authoritative source of software from Flathub.



Fedora has a feature proposal coming that will provide the user with full access to an “Unfiltered Flathub”, and they are dropping support for some RPMs, like LibreOffice, entirely.



So it seems to me like they’re gearing up to force everyone to nuke their Workstation install and go “Atomic Workstation” (the former name of Silverblue).



This will be highly disruptive to Fedora users, and since they’re going to have to reformat anyway, I think it’s a good time to just leave if you’re no longer interested in a distribution that doesn’t take usability and desktop users seriously (because IBM doesn’t).



Some Flatpaks do indeed work fine, most “appear” to work fine initially and then you find out later that the “Sandbox” actually breaks things. Sometimes the breakage is just annoying, sometimes it puts a real crimp on what you want the program to do.



For example, with OpenRA, you can’t install community mods into the games, so you’re going to need the AppImage files (a different universal program format for Linux I’ll get to later).



With GNOME Web (Epiphany), I tried to use the Flatpak on KDE because I think WebkitGTK is a pretty good rendering engine.



It makes pages look fantastic, but the Flatpak was completely broken and wouldn’t connect to Firefox Sync, which is also unfortunately the only way to bring in bookmarks and passwords without importing your bookmarks as an HTML file and the passwords one at a time. I currently have about 450 passwords in my browsers. I can share them between each browser in a CSV file. Web can’t import in this format.



They chose to depend on Firefox Sync, which doesn’t even work at all in the Flatpak.



When I installed GNOME Web through Flatpak in my Chromebook, it had the same issue with Firefox Sync. Apparently, it just needs something from GNOME, I believe, that they’re not putting in the Flatpak.



With Firefox in Flatpaks, sometimes the font rendering is broken.



Mozilla still hasn’t looked into this, four years after the bug was filed.



I gave up. But if that wasn’t enough, the “Sandbox”, which lets the browser download and execute files, but only in “Downloads” (So don’t worry, the malware can use that, but the rest of the file system is supposedly safe, so hooray!?), breaks Video Download Helper.



Video Download Helper requires a “CoApp” program to deal with HTTP Live Streaming sites. It probably also breaks other things that need a Native Helper like the extension to put Gopher support back into Firefox. (I didn’t check.)



When I tried to remove the file system “Sandbox” so the Firefox flatpak could fine the CoApp, the application stopped paying attention to its folder in ~/.var/app and wrote into my /home folder where non-Flatpak Firefox usually stores new profiles, caches, and settings. Ugh.



Using Flatpaks is aggravating because the “Something something security!” people have amazingly left almost all the attack surface, yet declared there’s a “Sandbox”, and because of the “Sandbox”, many applications come close to working, but no cigar, unless they don’t actually have to do very much.



Even Debian’s Wiki page about Flatpak has a section on Security concerns about the format, which leads to Flatkill.org.



Flatkill was last updated in 2020, and very little had changed. Most of the platform Flatpaks have old libraries that don’t get security patches, sometimes for nearly a year after a security hole is found.



Debian says that one reason to prefer Debian packages is because the system library will be patched centrally by the Debian Security Team, but if you use Flatpaks, then none of your Flatpaks pick up the fix unless it’s fixed by Flathub’s copy of the library.



If you use many Flatpaks, Debian loses their ability to protect you from slobs at Flathub who ignore security patches for their code libraries. Debian can only fix Debian’s libraries.



It’s fundamentally the same with every distribution, but when you use Fedora Silverblue or another immutable OS, and everything is a Flatpak, all your applications become vulnerable to Flathub’s slovenly security practices.



So you can imagine how horrible it must be to try to administer “Silverblue” or anything going down that path, like SUSE ALP probably will.



So this is why I said “Screw it!” and installed Debian. I don’t know if they’ll go down this particular path of errors, but if they do, I’ll use something else. We’ll cross that bridge when we get there.



This “immutable” file system garbage forces the user to run “containerized applications” which only causes a different disaster to actually happen.



Unpatched libraries piling up. Lots of them. Like Windows.



While I was initially supportive and enthusiastic about Flatpak, the more I’ve learned, seen, and experienced has shown me that it should really only be a supplemental source of software for when your distribution refuses to package something you want, or you need a later version than they have.



I myself have never had more than about 10-12 Flatpaks on the entire system, and that’s with thousands of RPMs or DEBs.



Another issue I’m seeing with Flatpak is that it seems to be an outlet for IBM/Red Hat’s anti-X11 propaganda.



They’ve already declared it a “Legacy Window System” even though Wayland is unstable and not feature-complete enough to use for any desktop other than GNOME.



In IBM’s world, everything except GNOME (which is sort of their corporate sewer), doesn’t exist.



KWin is a fantastic window manager. It also supports X11 better than Wayland. The IBM propaganda and troll army has already declared Wayland to be everything you need, even though in the background they quietly do thousands of patches to XWayland which have no relevance to Xorg Server running as the windowing system natively.



It’s very important to them to get XWayland into better shape because most software developers have assigned little to no priority to actually supporting Wayland itself, and using Wayland directly will destabilize many window managers, and make X11 applications fail to work properly. (Even on GNOME.)



So, since Wayland is making everything I do function worse, also having this propaganda about X11 in Flatpak is just making me cringe about Flatpak more.



But isn’t some “security” better than none?



If it doesn’t get in the user’s way and if they actually fix it when it does, hey, I’m all for it.



But creating a problem by solving another, smaller, problem, is not “security”. It just changes the type of danger the user is now in.



Discretionary Access Controls are something so fundamental and basic, that Microsoft basically made them unworkable until Windows 7, and broken from Windows 7 onward.



But we are supposed to let them have a pass and complain about every local privilege escalation bug in Linux?



Just fix them! Fix them as they are discovered.



Making the file system root read-only on a general purpose OS will piss off administrators, but it won’t substantially add any real security to a desktop system.



Unless you have a very narrow use case, like an embedded or server operation, or something like Tails where the user is supposed to be in a live environment that gets cleared from main memory and wiped anyway, and shouldn’t be going around installing things, and making the thing tamper-resilient is the use case because it won’t harm the appliance anyway, immutable file systems and containers are somewhat overrated.



This is an example of “Justify your use case.” being ignored by the people who tend to say it all the time themselves.



Most malicious software is more than happy getting to a place where it can spy on the users or encrypt their data and make demands for payment to get it back.



Like what’s so common on Microsoft Windows.



You can do a lot of that damage even with the Flatpak “Sandbox” (which the author and the user both control, so there may not even be any Sandboxing to speak of), and a read-only file system root.



About half of the most popular applications don’t even have the “Sandbox” on to a meaningful degree, on top of the rotting libraries issue.



Most “cross-platform” malware is actually a malicious browser extension that gets overlooked by Google.



They’ve let the Chrome Web Store turn into a malware author’s paradise. They remove some every now and then, but there’s always more.



You shouldn’t “install all kinds of extensions”, especially ones under a proprietary license, where the author cannot be verified to have put it there, or things you don’t absolutely need.



Most attackers aren’t really trying to screw up your computer.



In the 1980s and 1990s, when you got a computer virus, it was something some bored asshole did to mess up your machine. They were just malicious and laughing to themselves about being able to trash a lot of people’s computers because they stuck in a floppy disk and ran the wrong program. Sometimes the goal was to just make the computer do something really annoying.



Now, they’re trying to make money, through adware, keyloggers to steal bank info, etc., which they can do through Chrome extensions.



None of this “Silverblue” stuff will protect you from that. You have to use your brain and limit your exposure.



Putting the Web in a position where it has become so overgrown that “visit page, get pwned” is even possible, is the doing of Google, Apple, Microsoft, and Mozilla.



Recognizing malware in a browser’s extension store faster, and pulling it out, is where Google and other browser makers could really do some setbacks.



Crippling an operating system to deal with those threats is inappropriate.



Immutable operating systems also don’t do anything about potential ransomware that may want to run in the area of the file system the user controls, because that’s where their files are.



You know, call me old fashioned. One of the things I like about updates being deployed through individual packages is, as the owner of the computer, I like to have some say in what gets pulled in, and when is a convenient time for a reboot.



Not offering the user individual updates and letting them apply “only security”, or “security plus this issue I’m having”, is partly how Windows got to be as much of a mess as it is now.



Where every month Microsoft craps out an update several hundred MB big, and then breaks things, and “uses telemetry” to see how it went for whoever was unlucky enough to get it first.



I really don’t like to be pissed on and told it’s raining.



If you want to do an immutable OS with Flatpaks because it’s easier for you as an OS vendor to point me to semi-trusted packages that all don’t work to some degree and have rotting libraries and partial-sandboxing, and give me mega-updates that are all or nothing, and “Don’t worry about what’s in them, you’ll find out…”, then just say that.



Please don’t tell me you’re “Securing” my PC.



Real security is “trench work”. It means fixing bugs and immediately rolling out patches.



Flatpaks can never be part of a concept like this as long as the people behind it don’t want to package new libraries quickly, and nobody is willing to tell application developers “fix your program”.



I’ve had an amazingly long 25 year malware-free Linux experience.



I have a difficult time believing I’ll suddenly run into something tomorrow if I don’t deploy an “immutable” OS with Flatpaks-only.



However, what Fedora Silverblue users will find staring them in their face when they open “unfiltered Flathub” in GNOME Software, among other things, is a gigantic piece of trash, and keylogger, packaged by free (to Microsoft) labor, called Microsoft Edge for Linux along with 600 other pieces of really dodgy proprietary software, like Zoom.



Have fun with that.



Or you can join me in moving to whichever operating system doesn’t seem to be showing interest in going in this direction.



For what it’s worth, I don’t think there’s any strong community interest in containers, Flatpak, or immutable distributions. All of the immutable distributions I know of that are purported to be of general purpose use are maintained by corporations.



I think they might sound better on a “whitepaper” on the desk at an IBM boardroom meeting than they perform in practice.



In a Chromebook, all of Debian is in a container, but Debian itself is not an immutable OS or trying to restrain what the user can accomplish in the container.



Google has also bridged the container to the main OS so that the user can share files and other resources with the Debian system. Perhaps Google’s model is the best example of a containerized product on the market for average users, but they don’t have it set up the way that Silverblue and other “immutable Linux distributions” are trying to go.



I believe that, contrasted with IBM debauching the Linux experience, Google has provided a successful example of how containerized operating systems actually can add an incredible amount of value to a product.



When I bought my first Chromebook, it was just a Web browser. It couldn’t do anything else, couldn’t even print with it.



A “Google Cloud Print” thing came up and told me my printer was useless and I’d have to buy a “Google Cloud Print” printer and hook it up to my network, so I was stuck printing to PDFs and sticking them on a thumbdrive for the library’s copying machine.



Microsoft, of all companies, even made an advertisement mocking them for being “basically a brick” without an Internet connection. (With the cast of Pawn Stars.)



With support for CUPS and Debian, Google has made the Chromebook a Windows PC-killer.



Even my spouse, who has no interest in administering a computer, is a Debian user now thanks to the Chromebook.



We don’t even use Chrome on it. I set it up so it has other browsers by the way of Android and Linux.



I think it’s kind of neat that Google realized people were walking away, but you can get OEMs the marketshare they crave if you just sell the customer an entire computer.



After it reaches end of life in a couple years, I’m going to perform some surgery and put Chrome OS Flex on it.



Recent Techrights' Posts

Another "Told You So!": XBox Mass Layoffs at Microsoft (Many Recent Reports Were Chaff and Spin), Many Other Divisions Affected
With mass layoffs at Microsoft the world would be much better
When the Microsoft Aggressors Rely on Several Law Firms ('Attack Dogs', 'Guns for Hire'), Not Just One, Lawyering Up Against Techrights (Acting on Behalf of Americans Against UK Publishers)
From serving customers at some restaurant he has moved on to bullying people with demand letters
Polygamy, from Catholic Synod on Synodality to Social Control Media & Debian CyberPolygamy
Reprinted with permission from Daniel Pocock
Only a Third of or 1 in 3 Web-Connected Devices is a Desktop or Laptop, According to statCounter
we can expect Android to widen its lead
 
Linux Journal is a Slopfarm, It's Experimenting With LLM 'Authors'
Is Slashdot next?
WebProNews is a Slopfarm
Please avoid linking to WebProNews
Microsoft LinkedIn is Dying and Many More Layoffs Are on the Way
LinkedIn is just a failed acquisition of Microsoft. It causes losses and debt.
Gemini Links 25/06/2025: Combinatorial Music and Self Hosting
Links for the day
Richard Stallman Coming Back to Europe This Autumn to Give More Talks
His last talk in Europe attracted about 400-450 people
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 24, 2025
IRC logs for Tuesday, June 24, 2025
Social Control Media, Technology & Catholicism: Synod on Synodality review and feedback
Reprinted with permission from Daniel Pocock
How Many More Women Will Managers at Microsoft Strangle and Tell to Kill Themselves (or Try to Kill)?
The world needs to know what happened
The New BetaNews: 7 New 'Articles', All of Them LLM Slop
BetaNews is basically defunct. Nobody writes there anymore.
statCounter Estimates Only 1 in 300 Iranians Would Use Microsoft for Search
Iranians don't quite trust Microsoft
Gemini Links 24/06/2025: ftpd on FreeBSD and Online Small Web Magazine
Links for the day
Google News Does Great Harm by Promoting Slopfarms as Legitimate News Sites
Slopfarms are sites which are 100% LLM slop
Links 24/06/2025: Trouble at "Open" "AI" and ‘Siarhei is Free’
Links for the day
Gemini Links 24/06/2025: Stimulants and Subscription Costs for DRM
Links for the day
Links 24/06/2025: OpenAI [sic] May Soon Die (Too Much Debt) and Social Control Media Accused of Being Misinformation/Disinformation/Propaganda Amplifier
Links for the day
Nirbheek Chauhan in Planet GNOME Explains Why Wayland Pushers Are Losing
"A strange game. The only winning move is not to play."
The Days Are Getting Shorter, the First Half of 2025 is Almost Over
We're gratified to see significant increase in traffic and also positive feedback on the work we do
Turning GNU/Linux Into a Political Football
X (not the site) is Free software
X Server Still Works for Many People
A lot of people will grow suspicious of Wayland boosters/pushers if they persist and insist on using these tactics
Exactly a Week Ago "BetaNews Staff" Said "Betanews Is Growing Alongside You". Since Then Every Article (All by "Camila Nogueira") Has Been LLM Slop.
BetaNews is basically a slopfarm
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, June 23, 2025
IRC logs for Monday, June 23, 2025
The "Tarzan Effect" in Compilers and Software
What happens when you forcibly make things 'work', either by hacks or by disregarding warnings (like those that compilers tend to issue)?
Gemini Links 23/06/2025: Mass Tourism, Hair Love, and Google Gemini as a Googlebomb
Links for the day
Law Firm Burgess Mee Does Not Fully Deny Participating in Abusive Litigation for Serial Strangler From Microsoft
I am not unfamiliar with these tactics
The Modus Operandi of Wayland Pushers: Make It Political
do what I say or you're a nazi...
Links 23/06/2025: RFE/RL Contributor Vladyslav Yesypenko Released, Recording Industry Cutbacks
Links for the day
Brett Wilson LLP Solicitors (M): Over 99.9% of Our E-mail is Self-Marketing, We Send You 3.5MB E-mails for Less Than 1KB of Text
Why would tech people entrust legal matters to such people?
Peter Moon's (Computerworld) Interview With Richard Stallman
Stallman: If you want freedom don't follow Linus Torvalds
At What Point Does Outsourcing Constitute Malpractice?
Brett Wilson LLP's new staff page is misleading
United Arab Emirates (UAE) Sailing to GNU/Linux, According to statCounter
countries in that region will quickly learn the price of neglecting digital sovereignty
From Do Your Own Research to Do Your Own Search
The Web is full of garbage; search engines amplify this garbage
More People Moving to Geminispace?
at age 6+ Gemini Protocol seems to have gained some maturity and it seems like more people use it
Permutation in LLMs Does, Inevitably, Change Meanings and Therefore LLMs Cannot Properly Rephrase or Summarise Texts
LLMs lack actual grasp or comprehension of what they spew out
Links 23/06/2025: Many Security Breaches, Population Declines
Links for the day
Gemini Links 23/06/2025: "America at the Crossroads" and OpenWRT Surgery
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Sunday, June 22, 2025
IRC logs for Sunday, June 22, 2025
Pure Dove
Different means different, and sometimes those who "deviate" from "the norm" have a point
Censorship is a Sign of Weakness Which Invites More Censorship Attempts
revolutionaries don't succumb to pressure from bullies
Why It's Unlikely That LLM Slop Will Dominate the Web in the Long Run
Slopfarms will eventually perish (they have no actual value) and "survivors" on the Web will be sites that never depended on search engines and social control media
GNU/Linux in Argentina Now Measured Near 5%
Like in central Europe, they must be seeing an increasingly hostile US
BetaNews is Fake News, Composed by LLM Slop
nothing in BetaNews is written by humans anymore