←back to thread

The Joy of Linux Theming in the Age of Bootable Containers

(blues.win)
193 points dopple | 1 comments | 20 Apr 25 13:56 UTC | HN request time: 0.217s | source
Show context
kayson ◴[20 Apr 25 18:13 UTC] No.43745417[source]
I really like the idea of immutable Linux and bootable containers. My next project will probably be switching to bazzite. But I took a look at the Containerfile[1], and I have some big concerns about the fragility of their supply chain. It uses 20 different copr repos (granted, half are their own), and I didn't count how many packages. Best I can tell, none of the versions are pinned. They do dump a diff of all package versions in the release notes[2], but I wonder if anyone actually reviews it before release. All it takes is one vulnerability in one repo / package and you can enjoy your new cryptominer.

There's something nice about running Debian and having confidence in all the packages because they're built and maintained by the Debian team. Of course there are exceptions, but in my experience they're rare. The only non-standard repo I regularly use is fish shell, and the updates are so few and far between (and very public) I think the risk is low.

I suppose this isn't strictly a container-specific problem; you could add the repos and install / update all those packages yourself too. But being able to package everything up into a single file that you can then boot into as your OS means you're also packing all the supply chain risk.

Curious if anyone else shares my concern or if I should just put my tinfoil hat back on...

1. https://github.com/ublue-os/bazzite/blob/main/Containerfile 2. https://github.com/ublue-os/bazzite/releases/tag/42.20250417

replies(5): >>43745702 #>>43745767 #>>43747454 #>>43747703 #>>43751011 #
danieldk ◴[20 Apr 25 18:53 UTC] No.43745702[source]
Nothing holds you from using bootable containers in the same way you use Debian and only use packages from the official Fedora repositories, starting from Fedora's bootc base images.
replies(1): >>43745875 #
1. kayson ◴[20 Apr 25 19:19 UTC] No.43745875[source]
Yeah I think that may be what I end up doing.