Is there anything obviously wrong or bad about the idea to just use whatever distro you like on bare metal. Like rolling release to get the fastest updates or immutable to make it rock solid. And then just use distrobox or toolbx with Debian and maybe Arch to run software your base distro does not provide?
I run Fedora right now but want to switch to something else. I was thinking about Tumbleweed a lot but there is quite a big portion of software which does not ship on Tumbleweed. (Theoretically you could download the .rpm file which quite a few developers provide on and install it on Tumbleweed too? But I am not 100% sure about that so please correct me about that if I’m wrong.) So I thought about Nix but the drama around that distro made me loose interest. Obviously Arch is also an idea but I don’t like my base OS to be a project itself so I’d rather not use it for now.
And yes I thought about installing homebrew or nixpkg or pixi or whatever the name of the next new package manager is. But nearly all of them are only installable by executing a script and I don’t feel comfortable doing that. Would it be safer to run scripts like that in a distrobox/toolbx?
So yeah, my initial question was wether it is viable to just choose any distro and get along with distrobox to get your software from the AUR or through .deb packages. But the question developed if it would be wise to use distrobox to execute random internet scripts without altering your base OS/putting your data to risk.
Yeah that’s not going to work in the general case. A trivial RPM package might be fine but every additional dependency increases the chance that it depends on some package that OpenSUSE doesn’t know. There’s a reason OpenSUSE is usually considered an independent distro and not a “Fedora-based” one despite some shared components.
I don’t think security wise there’s much of a difference between running random software directly or via distrobox. Note that distrobox mounts your entire home directory into its containers, which removes any security benefit that containers could theoretically bring. In both cases you either need to audit the software yourself or you need to trust whoever you’re downloading the software from.
Out of the third party repositories you mentioned, I would personally consider Nixpkgs the most trustworthy because package specs are actually code reviewed, unlike the AUR into which anyone can publish packages with zero oversight. That doesn’t mean it’s impossible for Nixpkgs to end up with malware in it, but the AUR sets a low bar. Using Nix (not NixOS) is also not actually that hard, you can just run
nix-env -iA nixpkgs.yaziand it does exactly what you would expect, even if NixOS users would scoff at the “imperativity”.That being said, the OpenSUSE repositories really aren’t that bad. Especially if you combine them with Flatpak, and especially if you install Firefox and VLC (or equivalents of your choice) from Flatpak so you don’t need proprietary codecs in your base system. I used OpenSUSE Tumbleweed for years and got by just fine without Nix, homebrew or distrobox.
I think you can change this if you really want to
Thank you very much for correcting me about the RPM issue!
True, I forgot that distrobox mounts the entire home directory.
But that still leaves the question: How to install Nix in the first place? Without just running the script. Another question: This command just runs the software once without actually installing it right?
Awesome, thank you very much! I really should just try it out for a while!
You can download tarballs with the precompiled Nix, though you’ll still need to run an install script (but you can at least read it to convince yourself it’s not malicious), see the relevant documentation for that.
Something that slipped my mind is that since OpenSUSE uses SELinux now, that means the recommended multi-user mode won’t work. Single-user mode should be fine afaik, but it’s a bit less convenient.
The
nix-env -iAdoes actually install the software locally, not completely unlike how azypper inwould. For running a program without installing you would use something likenix-shell -p yazi --command yazi. Of course that still downloads and “installs” the program, it just won’t add it to yourPATHor create a GC root, which means the next time Nix does “garbage collection” it will be removed again.And yeah I would recommend just trying OpenSUSE out and then if you realize you actually really do need stuff from third party package managers, then you can worry about whether getting into Nix is a good idea or not. Or fall back to the Arch/AUR in distrobox idea which is probably simpler to do overall, especially since from what I understand that’s what you’re supposed to do on the immutable spins like Aeon.
Late edit: I’ll also note that there are several OpenSUSE specific third party repos too. Packman has some proprietary codecs that OpenSUSE doesn’t want to ship (in case you really don’t want your browser to be a Flatpak), and the Open Build Service (OBS) which is basically the AUR for OpenSUSE. They’re not as useful because they’re nowhere near the size of the AUR, but if you just need one specific package (perhaps one with questionable legality like yt-dlp or something) they might just have it. And of course you can also build stuff from source and put it in your
~/.local/bin, which has been common practice since before Linux was able to run on real hardware.