Mythos Preview is better at finding real vulnerabilities than existing public models and, for now, only a few have access to it.

Not zero bugs, but it should help. A benefit for defenders is that they can use AI review on code before they make it public or release it in a stable release

Correct, that’s what I meant by calling it a lightweight sandbox that’s mainly used to isolate dependencies.

Though the cool thing about cold brew is that it’s simply a shell script. Not even a crazy long one at that. It would not be difficult to modify the bubblewrap flags to increase security.

Though filesystem isolation is not its goal, it’s meant to emulate that homebrew use which is unsandboxed.

That’s my gripe with Atomic distros. I feel like they don’t take the time to think things through and throw together. Instead, they throw together a new thing to address the shortcomings of the previous five things.

Love them or hate them, it feels like the only player sticking to their guns is Canonical with snap. It’s the only package manager that really does it all: GUI, CLI, IDEs, server, daemons, even the kernel and GRUB. Honestly, when the permission prompting is stable, I might be tempted to give it another chance.

Coldbrew kinda works like that. It uses bubblewrap and uses Alpine’s packages: https://gitlab.postmarketos.org/postmarketOS/coldbrew.

The unfortunate thing about snap is that of all options, it is the most capable. You get GUI, CLI, server, full filesystem access if needed (aka classic snaps). But Canonical really drags the project down and handicaps it with poor decisions.

• It’s pretty minimal out of the box (a bit like Arch). Unlike Fedora with SELinux or Ubuntu with AppArmor which come configured and enforcing out of the box.
• Nix is a programming language, and a complex one at that. There are plenty of ways to achieve the same goal. But as a novice or even intermediate user, it’s hard to know which is the best way. It also doesn’t help when you go with Way A and later want to do something else, but you find someone’s setup that uses Way B. Should I switch to Way B too? Or should I try to combine both ways into Way C?
• Flakes. First off, it’s annoying to have everyone say that NixOS is declarative and reproducible. Then you look into it a bit more and the story changes to “oh actually you need to enable this experimental feature to get better reproducibility”. But the part that actually annoys me is how everyone uses flakes and expects you to too, but it’s been an experimental feature forever and doesn’t seem any closer to becoming not-experimental.
• Linking issues. Say I install something like nvim with nix, then an nvim plugin wants to install something. That plugin isn’t aware of nix and tries to do things the Unix way, but that breaks. I know there are two solutions/workarounds to this problem; some packages are patched to avoid this and there’s something you can put in your configuration that “emulates” a more traditional environment that’s more compatible.
• I like sandboxing so I would use flatpak in NixOS. But there was some issue with fonts and icons I believe. I can’t remember if this PR fixed it or not: https://github.com/NixOS/nixpkgs/issues/119433
• Not the best UX out of the box. It’s common to find people with nix caches of hundred of gigabytes large because the system doesn’t automatically clean things up.

Brew installs both applications and their dependencies. When brew is added to the PATH, it also puts all those dependencies on your PATH.

For the most part, this does not cause issues. The OS usually uses absolute paths for binaries and dependencies. But for some programs, they will rely on PATH and may not be compatible with what brew provides.

Ideally, I think brew should fix this by only adding what you explicitly install to your PATH. When you launch it, it should launch a wrapper script that updates PATH with the homebrew dependencies. Though that wouldn’t exactly work for those who install a shell like zsh since then that would inherit the brew libraries anyway.

Or instead of changing PATH at all, use a fancy linking mechanism like Nix.

Universal Blue does some path tinkering to fix this, not sure how though. KDE Linux also has their own workaround, where they instead prioritize system dependencies over brews so that it’s brew that would break instead of the OS.

I’ve used NixOS, wasn’t that big of a fan. I certainly love the idea, but not the execution. Fedora Atomic just comes out of the box as a more complete, configured system that’s easier to understand.

I have been meaning to use Nix on Atomic, but the problem is that since / is immutable, Nix cannot create /nix and so doesn’t work properly. But there are workarounds for that issue, I just haven’t tried them yet.

Nix certainly fixes the PATH issues of homebrew since it has its unique linking system.

Not sure how I feel about this “distroless” pattern. It’s interesting to be able to get components directly from upstreams from like Gnome, but it makes certain tasks more difficult.

The lack of any distro packages to fall back on when flatpak, distrobox, appimages, and brew fails is simply annoying. I’ve experienced this multiple times.

• When I would flash OSes on my Pixel, I couldn’t use flatpak/distrobox/brew. I would either have to (1) overlay a browser and ADB tools, (2) overlay ADB and maybe use an Appimage browser, or (3) boot into a traditional distro like Debian that has an unrestricted browser. Distroless has no recourse for me here.
• Using sshfs: installing sshfs from brew or distrobox would not work without host configuration changes made by overlaying sshfs. Distroless has no distro package to fall back on
• Using tailscale: tailscale from brew didn’t work. Had to fall back on distro package. Distroless would fail me here, but in this case, I believe Jorge preinstalls it. So simply adopt all of Jorge’s tastes and applications and you’ll be fine…
• No upstream Steam support since there’s no rpmfusion or official valve package to use, you’d have to use something like the unoffical Steam flatpak

While I love Fedora Atomic and atomic distros in general, I constantly feel like they do not think things through. They made the system harder to break, but with severely limited (if you use them the way you’re encouraged to, like no layering). They then address these gaps one by one with more and more solutions that are imperfect and that do not fit all needs.

• Flatpak is good for GUI apps, but not CLI.
• Brew is good for CLI stuff, but does funky PATH things that could break host OS at times (and as mentioned, did not work for sshfs or tailscale for me). KDE Linux initially promoted Brew, but then later recommended not using it at all due to its PATH shenanigans
• Distrobox is good if you need distro packages, but the containerization has limitations with desktop integration and more complex tasks, like I mentioned with flashing OSes on my Pixel.

At least with Fedora Atomic (and containerfiles with bootc stuff), I can get a robust system, seamless OS upgrades, and install any packages that do not work well as flatpaks/distrobox/appimages.

It’s based on Alma Linux, which is on version 10.1.

If you have all the AppArmor patches and use a custom snap store, I believe so. There’s some inefficiencies with flatpak that are currently ignored. For example, every flatpak app has its own bubblewrap processing running, though they are light on resource usage. However, inter process communication is really inefficient, there’s a lot of context switching. You have the app talking to the dbus proxy and the proxy talks the real dbus (there might even be a step between the dbus proxy and real dbus).

Meanwhile, for snap, this security stuff is handled by AppArmor security profiles. There’s no need for a dbus proxy.

That’s part of what I mean. Snap could be so much more interesting and useful if not for Canonical doing stuff like only allowing one store and slacking on proper support for non-AppArmor distros.

One of the more bizarre experiences I’ve had is that a Canonical employee packaged a version of a Minecraft launcher. It was absolutely garbage, didn’t even start. The first thing that comes to mind is that snap is just garbage. But for fun, I made my own package of it, and it just worked perfectly. Which just leaves me the question of why a Canonical employee who works on snap can’t create a good snap package.

There’s also the weird fact that Ubuntu dropped the ball with its core24 runtime. For some reason, Canonical’s own snaps stuck to core22 up until this month. Like, why wouldn’t they upgrade to their latest runtime? If there was an issue with it, why has it been broken for 2 years? Doesn’t inspire trust.

I can understand MIT being an issue in some cases. For example, VSCode is a proprietary fork of the MIT open-source Code. If Microsoft wanted, they could stop publishing the MIT open source version. Of course that code would still exist as MIT, but development would slow down without Microsoft.

But I don’t see uutils being MIT as an issue. It’s primary goal is to be compatible with GNU coreutils. You can’t really rug pull a project with a goal like that. And permissively licensed utils have been around thanks to BSD and it’s never been an issue. You don’t see companies like Apple using proprietary forked versions as benefit. The “value” they add is higher up the tech stack with their own truly proprietary stuff or open stuff that encourages lock-in to its ecosystem, like Swift.

Snap as a technology is so interesting and more versatile than other formats. It’s just unfortunate that Canonical is in charge of the project, they’ve made some baffling decisions and continue to shoot themselves in the foot.

Haven’t done it personally, but I think Ubuntu would be one of the better choices. You get the Ubuntu ARM debs and ARM snaps out of the box.

You can then install Flathub and Fedora Flatpaks.

Fedora Flatapks is small and not without controversy, but one of its benefits is that all of its packages are built for ARM. Flathub and Snap aren’t consistent in doing that. Any many times you’ll find that Snap has an ARM build and Flathub doesn’t, and vice versa.

It certainly has it’s issues. Takes up quite a bit of space since each app tends ships its own copy of electron (though distros like Arch do try to make apps share a single Electron build). Apps may ship out of date versions that may have security vulnerabilities, though it’s not always the end of the world since they tend not to access outside of their own domains. As for slowness and resource usages, it’s bit of a tricky subject; an Electron app can be optimized, but will always use quite a bit of RAM.

Though undeniably they have been beneficial for Linux if only because it allows some companies to support Linux without too much extra work.

SSD is still supported, just tested Spotify and Flathub’s Electron test app in a VM with Plasma.

And with community maintained distros like Debian and Fedora, you kinda get the best of both worlds. You have a mostly community distro that doesn’t have corporate interests pushed on it, but have a corporation paying developers to work on it because it’s in their interest to.

Though unlike Gnome Web, this the performance is actually good despite being an early beta.

The scrolling performance using a mouse in Gnome Web just sucks, it’s choppy and inconsistent. Though it does feel okay when using a touchpad.

I’m looking through Gear Lever and don’t see anything. I only see the option to change the path where there actual Appimages are stored, not the data created by the appimages.