/nix/store is immutable. But there are some files in other places like /etc and /var that are mutable. Also I (or a malicious executable) could, in theory, delete store symlinks and replace them with mutable files. Impermanence helps, but you’ll still want some mutable state.
Fully immutable systems have everything outside of /home read-only. NixOS is not one of them.
I don’t really get the malicious software point though. All immutable distros have a mechanism for changing, after all they need to be updated. If a malicious executable has root access, which is what you need to change symlinks on NixOS (I know services often get their own user, but unless modified, only root has access to those users), then these malicious executables could also leverage whatever mechanism for change other immutable distros have, to do malicious things, no?
Though I do agree with you, now, that NixOS isn’t immutable.
There are ways to secure the update process. For example, you can enable secure boot and store your secure boot keys encrypted (or on a smart card). Then (if a full chain of trust is implemented) to update your system, you’d need to enter the private key password (or insert the smart card), and a root-access executable couldn’t to that automatically.
I think it can in theory, but there will be some problems. But most likely Silverblue or something else would have its own problems trying to implement something like that - I don’t have any experience with them and don’t know how they’d compare.
/nix/storeis immutable. But there are some files in other places like/etcand/varthat are mutable. Also I (or a malicious executable) could, in theory, delete store symlinks and replace them with mutable files. Impermanence helps, but you’ll still want some mutable state.Fully immutable systems have everything outside of
/homeread-only. NixOS is not one of them.I see.
I don’t really get the malicious software point though. All immutable distros have a mechanism for changing, after all they need to be updated. If a malicious executable has root access, which is what you need to change symlinks on NixOS (I know services often get their own user, but unless modified, only root has access to those users), then these malicious executables could also leverage whatever mechanism for change other immutable distros have, to do malicious things, no?
Though I do agree with you, now, that NixOS isn’t immutable.
There are ways to secure the update process. For example, you can enable secure boot and store your secure boot keys encrypted (or on a smart card). Then (if a full chain of trust is implemented) to update your system, you’d need to enter the private key password (or insert the smart card), and a root-access executable couldn’t to that automatically.
Yeah, but do other distros do this though? Not that I’m aware.
And surely the same could be done to NixOS, no?
I think it can in theory, but there will be some problems. But most likely Silverblue or something else would have its own problems trying to implement something like that - I don’t have any experience with them and don’t know how they’d compare.