Distro agnostic packages like flatpaks and appimages have become extremely popular over the past few years, yet they seem to get a lot of dirt thrown on them because they are super bloated (since they bring all their dependencies with them).

NixPkgs are also distro agnostic, but they are about as light as regular system packages (.deb/.rpm/.PKG) all the while having an impressive 80 000 packages in their repos.

I don’t get why more people aren’t using them, sure they do need some tweaking but so do flatpaks, my main theory is that there are no graphical installer for them and the CLI installer is lacking (no progress bar, no ETA, strange syntax) I’m also scared that there is a downside to them I dont know about.

  • @j4k3
    link
    English
    19 months ago

    IIRC it puts a user owned directory inside the root. I have no clue what the total implications are in respect to privacy and security.

    The last time I looked the NIX solution to secure boot keys was to disable secure boot, making the largest attack surface on modern computers completely unprotected by default. The idea of leaving it up to the user to figure out keys and self signing was a giant red flag for me. My current workstation requires a shim as the bootloader that came with the device rejects custom keys and I didn’t care to figure out Keytool on my own to boot into UEFI and try to change them by force. That knocked NIX off my list of complete distros to run. While I don’t know the implications for the NIX package manager on another distro, this is the combination of real factors that formed my chain of reasoning about using NIX in both respects.

    I also ran arch for a few weeks once and am now extremely skeptical of any distro that presents anything that hints at “you figure it out yourself” complications for basic function. After Arch I went to Gentoo back when the Sakaki guide still worked and that was much more my style. I had something that just works, and made extra complications much more approachable. Specifically, I found documented entry points on things I didn’t understand, approached in ways I found useful. I don’t recall exactly what I was trying to do at this point, but with NIX I spent a couple of days trying to figure out stuff and went in circles. I think I had come across a NIX package for KoboldCPP and tried a bunch of stuff that didn’t work.

    Anyways, I have nothing against NIX and might try it again one day. This is not bashing on NIX, or calling it inadequate. This was just my experience as a dumb user.

    • Atemu
      link
      fedilink
      29 months ago

      IIRC it puts a user owned directory inside the root. I have no clue what the total implications are in respect to privacy and security.

      None.

      The last time I looked the NIX solution to secure boot keys was to disable secure boot

      Are we talking about Nix or NixOS here now? These are entirely different things.

      Nix on non-NixOS does not care whether that OS can do secure boot or not.

      As for NixOS: https://github.com/nix-community/lanzaboote

      (Not sure what you’d actually want to achieve with “secure” boot as it doesn’t protect you against anything on its own.)

      The idea of leaving it up to the user to figure out keys and self signing was a giant red flag for me.

      The current support for secure boot in NixOS is rather experimental still. It’s the same as any other distro that hasn’t applied to RedHat to get their shim signed with a M$-trusted key, so I don’t really see your point here.

      That aspect is also being worked on as we speak.

      I didn’t care to figure out Keytool on my own to boot into UEFI and try to change them by force. That knocked NIX off my list of complete distros to run.

      That’s your ignorance’s fault, not any distro’s. If you can’t be bothered to plug in your own keys, you limit yourself to the set of distros that are indirectly officially approved by M$.

      I also ran arch for a few weeks once and am now extremely skeptical of any distro that presents anything that hints at “you figure it out yourself” complications for basic function. After Arch I went to Gentoo back when the Sakaki guide still worked and that was much more my style. I had something that just works, and made extra complications much more approachable. Specifically, I found documented entry points on things I didn’t understand, approached in ways I found useful.

      If you need your hand held, the Nix ecosystem won’t be for you. It’s not really approachable by people who can’t research things in its current state.

      Nothing wrong with that but Nix just isn’t at the point where mere mortals can reasonably be expected to be able to use it.

      • @j4k3
        link
        English
        29 months ago

        I can respect all of that.

        That’s your ignorance’s fault, not any distro’s. If you can’t be bothered to plug in your own keys, you limit yourself to the set of distros that are indirectly officially approved by M$.

        Harsh. I tried signing my own keys. I replaced them in the bootloader, but when I do the final step to lock them down, the TPM chip flushes the new keys and reissues fresh keys again. The only guide I have found for Keytool is on Gentoo. I love Gentoo’s documentation for a lot of things, but it assumes a high level of competence, and I haven’t seen anything visually showing exactly what to do and how Keytool works in practice. I don’t feel very confident taking that step for the first time on a machine I must keep working.

        Indeed there are many times I “need my hand held” in order to take my first steps into a subject. I need an intellectually-intuitive foundation that is stable and I can build upon.

        You say there is no security issue with a user owned directory in root, but intuitively, that shakes a lot of my understanding that is not grounded in formal CS as you likely seem to be. Like I don’t understand:

        • why a user owned directory in root is needed
        • What it means for NIX in reference to configuration files, dot files, and my mental model of mess that belongs in /home/$user. While unfounded, I immediately worry root will somehow get cluttered with junk too. It is probably wrong, but I think of $user being largely sandboxed in /home/$user/
        • I don’t know what the SELinux context is for NIX, but I only have a limited grasp of SELinux from hacking around on Android to add things like busybox, and I know it is permissive but enabled in Fedora.
        • I question how anything placed directly in the root directory of another distro will impact future updates from the packagers of the distro.
        • Isn’t this against the Unix framework to place something directly in root?

        I think those are all of the intuitive thoughts and questions that resonated in my mind when I saw /nix and noticed its user context.

        When I am working on some other project, I don’t want my OS to force me into some peripheral rabbit hole in some large gap within my understanding just to run an update for a package I need, like what I experienced with pacman. My negative experiences with Arch many years ago makes me default skeptical. While I understand that NIX and NIXOS are different, I still associate them when it comes to developing trust.

        Last thing worth mentioning since I have been thinking about it. I was motivated to try NIX, enough to install it, in order to try a preconfigured version of KoboldCpp, as I mentioned. However, I recall it was posted on a website somewhere and was described for a WSL NIX Flake. I was curious to try it because I have had trouble with Nvidia with a mainline kernel and kobold. I thought maybe the flake was just described for WSL and I could easily sort out a Linux version, but that didn’t happen. The flake was not in any native repo, and altering it to run in Linux did not feel very approachable in documentation as far as a first time experience with NIX. I don’t think kobold is compatible with a DKMS built Nvidia module anyways so that stopped my effort.

        • Atemu
          link
          fedilink
          2
          edit-2
          9 months ago

          I tried signing my own keys. I replaced them in the bootloader, but when I do the final step to lock them down, the TPM chip flushes the new keys and reissues fresh keys again

          It may just be that the firmware of your particular board is buggy to the point of being broken.

          You could try updating it but sometimes it’s futile and the firmware is just the biggest pile of crap.

          Indeed there are many times I “need my hand held” in order to take my first steps into a subject. I need an intellectually-intuitive foundation that is stable and I can build upon.

          Absolutely reasonable expectation. I wish we had that.

          why a user owned directory in root is needed

          I initially glossed over the fact that you said “user-owned” here. It still shouldn’t affect anything because nothing uses /nix for anything security-critical at any point but it’d certainly be smelly.

          User-owned /nix is only the case in single-user installs which I believe have been deprecated for a while and certainly aren’t the way to go anymore.

          These days the preferred and default method is a multi-user install where /nix is owned by root there and exclusively managed by the privileged nix-daemon.

          What it means for NIX in reference to configuration files, dot files, and my mental model of mess that belongs in /home/$user. While unfounded, I immediately worry root will somehow get cluttered with junk too. It is probably wrong, but I think of $user being largely sandboxed in /home/$user/

          Nix (the package manager) itself does have some limited local state (cache, current profile link) that is put into the appropriate XDG user dirs. It will never touch anything outside of those specific state dirs, the TMPDIR and /nix.

          Nix is designed to be fully contained in /nix. This property enables you to even wipe their entire root on every boot under NixOS.

          Apps installed via Nix behave as they always do w.r.t. cluttering directories. openssh will still create and manage its ~/.ssh directory for instance, just like on other distros. If you ran some daemon that you installed via Nix with sufficient privileges, it may try to create its state directory in /var or whatever; just like the same daemon from any other distro’s package would.

          That is all to say: Nix does not do anything special here. Its packages largely behave the same as they do on any other distro and that behaviour includes state directory cluttering behaviour at runtime.

          I don’t know what the SELinux context is for NIX, but I only have a limited grasp of SELinux from hacking around on Android to add things like busybox, and I know it is permissive but enabled in Fedora.

          No SELinux support whatsoever.
          There is somewhat explicit non-support even as Nix’ model of files and directories does not include xattrs; you cannot produce a Nix store path that has special xattrs for SELinux purposes.
          Metadata like permissions, dates and owner information are all normalised in the Nix store. The only permitted metadata apart from the file name is whether regular files can be executed.

          If your system uses SELinux, you must add an explicit exception for the Nix store. (Installers may do that automatically these days, I haven’t kept up with that.)

          question how anything placed directly in the root directory of another distro will impact future updates from the packagers of the distro.

          Other distros simply do not touch /nix; it’s not their domain.

          FHS distros control FHS directories such as /usr or /bin depending on what individual packages contain but no sane package of an FHS distro will try to control /nix/store/hugehash-whatever/.

          Isn’t this against the Unix framework to place something directly in root?

          Nix does many things that go against original design principles of Unix and that’s a good thing. It’s not the 70s anymore and some aspects of Unix have not aged well.

          https://economicsfromthetopdown.com/2024/02/17/nixing-technological-lock-in/

          trouble with Nvidia with a mainline kernel and kobold.

          Using Nix for applications that have userspace driver dependencies on non-NixOS requires a hack unfortunately: https://github.com/nix-community/nixGL

          • @j4k3
            link
            English
            29 months ago

            Thanks for taking the time to answer all of my questions. I’m much more likely to try NIX again now.