Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Linux

Vanilla OS Offers a New Take on Security for the Linux Desktop (vanillaos.org) 31

OS News cheers the first official release of Vanilla OS, calling it "an immutable desktop Linux distribution that brings some interesting new technologies to the table, such as the Apx package manager."

From the official release announcement: "By default, Apx provides a container based on your Linux distribution (Ubuntu 22.10 for Vanilla OS 22.10) and wraps all commands from the distribution's package manager (apt for Ubuntu). Nevertheless, you can install packages from other package distributions.... Using the --dnf flag with apx will create a new container based on Fedora Linux. Here, apx will manage packages from Fedora's DNF repository, tightly integrating them with the host system.
ZDNet calls Vanilla OS "a new take on Linux that is equal parts heightened security and user-friendly." Among other things, "the developers opted to switch to ABRoot, which allows for fully atomic transactions between 2 root partitions." The official release announcement explains: ABRoot will check which partition is the present root partition (i.e A), then it will mount an overlay on top of it and perform the transaction. If the transaction succeeds, the overlay will be merged with the future root partition (i.e B). On your next boot, the system will automatically switch to the new root partition (B). In case of failure, the overlay will be discarded and the system will boot normally, without any changes to either partition.
But ZDNet explains why this comes in handy: Another really fascinating feature is called Smart Updates, which is enabled in the Vanilla OS Control Center, and ensures the system will not update if it's either under a heavy load or the battery is low. To enable this, open the Vanilla OS Control Center, click on the Updates tab, and then click the ON/OFF slider for SmartUpdate. Once enabled, updates will go through ABRoot transitions and aren't applied until the next reboot. Not only does this allow the updates to happen fully in the background, but it also makes them atomic, so they only proceed when it's guaranteed they will succeed.

The only caveat to this system is that you are limited to either weekly or monthly updates, as there is no daily option for scheduling. However, if you're doing weekly updates, you should be good to go.... Setting aside that which makes Vanilla OS special, the distribution is as stock a GNOME experience as you'll find and does a great job serving as your desktop operating system. It's easy to use, reliable, and performs really well...especially considering this is the first official release.

"Every wallpaper has a light and a dark version," adds the release announcement, "so you can choose the one that best suits your needs."
This discussion has been archived. No new comments can be posted.

Vanilla OS Offers a New Take on Security for the Linux Desktop

Comments Filter:
  • Why is it called "Vanilla"? Wouldn't Vanilla mean using the original code with no customization at all?

    • They're running out of cool sounding names.

    • by Halo5 ( 63934 )

      I think this might be due to the fact that it's a vanilla version of Gnome, which is why I won't be using it. I will ALWAYS require a taskbar in order to have a quick view of running apps (which Ubuntu provides through their modified Gnome DE.

  • by Big Hairy Gorilla ( 9839972 ) on Saturday January 07, 2023 @12:50PM (#63187610)
    they have a light AND a dark wallpaper

    seems to be the most relevant feature that most chumps use to decide in the end
    • by cstacy ( 534252 )

      they have a light AND a dark wallpaper

      seems to be the most relevant feature that most chumps use to decide in the end

      Shouldn't it be called "Chocolate And Vanilla", then?

      I see that it also has both kinds of package managers. Country *and* Western!

      I am about to re-image my laptop for some Ubuntu. I like stability. Maybe with this atomic root overlay feature, this is the distro for me!

  • Why Vanilla? It seems like Qubes OS has a more compelling security model and has a larger community of support.

  • I remember when Redhat thought that security was the #1 Linux Issue. They are now oldHat.
  • by Anonymous Coward

    If "yes" never fucking mind.
    It's unsafe, black-box code.

  • Cool, but ... (Score:5, Insightful)

    by fahrbot-bot ( 874524 ) on Saturday January 07, 2023 @01:10PM (#63187668)

    Among other things, "the developers opted to switch to ABRoot, which allows for fully atomic transactions between 2 root partitions."

    From the referenced ABRoot Git page (README.md):

    Note: This is a work in progress. It is not ready for production use.

    So... about that Vanilla 22.10 versioning ... :-)

    (Also, does it bring along all the Ubuntu 22 snap crap -- I mean, baggage -- I mean "features"?)

    • That isn't even the worst of it:

      "By default, Apx provides a container based on your Linux distribution (Ubuntu 22.10 for Vanilla OS 22.10) and wraps all commands from the distribution's package manager (apt for Ubuntu). Nevertheless, you can install packages from other package distributions.... Using the --dnf flag with apx will create a new container based on Fedora Linux. Here, apx will manage packages from Fedora's DNF repository, tightly integrating them with the host system"

      Ahh yes, "security" is when I run large chunks of TWO user lands at once, doubling my attack surface. What's next, maybe boot three kernels, with two being older ones?

  • and drivers that don't go into the containers?
    How is it setup to install / run them?

  • I think this is rehash of CoreOS for the desktop. ChromeOS also had similar 2 partition update strategy and perhaps the first OS to do so. CoreOS is now defunct and rehashed and maintained by Fedora/RedHat https://coreos.github.io/coreo... [github.io] It would be nice to also have feature where you can rollback to an earlier version at will.
  • The only difference I can tell between the various package managers is that some install the dependencies automatically while others don't (but can if asked nicely). Why is that needed at all with that little difference between them ?!?
    The only potentially new distro I'd like to see is a *very* easy to configure variant of gentoo with a default "-native" compile option for everything. CPUs are now fast enough to compile every update in a matter of minutes (and in the background without impacting anything)
    • I use and love Gentoo, but updates can take a LOT longer than "a matter of minutes." it is not unknown for my weekly updates to take hours even on fairly quick machines and sometimes well over a day on slower ones.

      Several attempts have been made to provide a front end GUI for Gentoo installs. They haven't gained much traction, probably because to be a successful Gentoo user, one must be at least moderately technical, familiar with the command line, able to do basic troubleshooting, etc., and, to such a pe

      • by dargaud ( 518470 )
        I did use Gentoo in the early 2000s and I don't know how it has improved (or not) since then. But things like automatic background compiling (even before manual install) and much easier variable selection (was that how those selectors were called?) seem the easy targets for improvement.
  • Comment removed based on user account deletion
  • by FudRucker ( 866063 ) on Saturday January 07, 2023 @05:40PM (#63188242)
    on their page showing a list pf packages and Vanilla uses systemd, so it don't matter how secure they think they have made it, by building their distro with systemd they included an "Achillies heel" that will always be a target,

    no thanks, ill stick with trusty old slackware
    • systemd has won [darknedgy.net]:

      In effect, even if systemd as an init system begins to be seen as lackluster, this wouldn’t make much of a difference given the wide range of the project. And simply having a “better init system” would certainly be of no import. When distributions signed up for systemd, they weren’t adopting a “better init system.” They were adopting a platform. Projects like Flatpak and Snappy have significant integration with systemd these days, and it is a done deal.

  • I'm very interested in system software, so I took a look at this distro. What I found is that all of the software they have written for "Vanilla OS" is written in either Go or Python. All the system level software was written in Go while anything GUI related was written in Python. Everything else is a fork with minimal modification.

  • Not exactly "on point" but close enough I think

    https://xkcd.com/927/ [xkcd.com]

  • How is such an increase in complexity a security feature? Safety against borked boot, probably, but not security. Fiddling with how updates are performed, how root works when updating and working with vital locations, is just inviting a disaster. We have already seen this in UEFI. Sounds like an ad for next Windows version.
  • By the way this post was Amazing but can you please write on Natural Formation of Rivers ! [clavick.com]

    https://clavick.com/convention... [clavick.com] I Really Appreciate the way you describe the topic, nice keep it up. Clavick [clavick.com] https://clavick.com/ [clavick.com] https://clavick.com/minerals-a... [clavick.com]

  • An immutable desktop OS is available by Fedora (Silverblue), using OSTree as a "git of OS" of sorts.

    Not sure why the AB thingy is supposed to be a better solution - to me, it's a downgrade. (Didn't dive into details, but I'm assuming it keeps two different versions of the OS around, while OSTree is more a a directed-graph-version-control on steroids type of things, allowing things like "rebase" n stuff.)

    Not sure what Vanilla OS thought it could make better to justify building a new distro from scratch? Mayb

  • Why not "chatter +Ri /" it? bam its immutable. /s I think stuff like this is silly. I don't really see security in this via the announcement infect a container... system applies it.... oops its a bot. How is that different than all the other distros? Are they going to move to a no superuser format. where you cant hack as UID=0? and fix stuff that their package manager "Breaks"... I am personally going to pass on this distro. there is other immutable file systems like overlayfs.....

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...