Immutable distributions clarification


On the OS recommendations there are a number of Linux distributions separated in categories. It’s pretty clear what “Security-focused” and “Anonymity-focused” are supposed to be good at, in the context of privacy, however I’m not too sure most people would really understand the relevance of “Immutable Distributions”.

I think it would be beneficial to have a description at the very top of that category (currently it jumps right into the first recommendation) that highlights the main differences from “Traditional distributions” and how they are relevant in the same context of privacy and security as the other two categories.


I agree, the advantages of immutable distros should be documented. I think that would fit better in the knowledge base, though.

1 Like

Probably a good idea. We did discuss changing that category and highlighting its benefits more prominently previously, but didn’t really reach a consensus on how we should discuss them, with some arguments that they don’t really provide a huge benefit over traditional distributions in the first place… I don’t know how we feel about them yet.


Personally I don’t find this category very useful in the context of privacy. For one, there are better distributions available and already mentioned. And even the “traditional” distributions are good enough for what most people need (certainly it’s a welcome upgrade from Windows/MacOS).
Then there are the headaches with permissions because of sandbox programs installed through something like Flatpak, most users can find that very annoying to setup even when using Flatseal. More experienced users can choose to use Snaps or AppImages instead… but at that point there are very little reasons left to recommend anything of the sort.

This section will probably make more sense if it was labeled as an advanced topic, and if guides/tutorials are provided. In the future there could be even reproducible builds for things like NixOS that people can use as baseline similar to how the Arkenfox.js project works for Firefox. But, of course, this is a lot more work and highlighy subjective and prone to change so…

The thing is immutable distros should be the regular ones, because people not knowing what they are should probably use them. I myself am not totally stupid but broke regular distros often. If you dont want to maintain your own Distro, its just best to have one premade, apply your small set of changes to it and keep it like that. Nearly all Apps nowadays are available as flatpaks, and even if they arent, you can layer packages anyways.

So educating about these Distros should be more natural. Android, iOS and all the others are immutable since forever, and nobody cares, its just normal.


Flatpak apps always have the permissions they need in my experience. And that way they are mostly more secure than the regular system installed apps.

They are build from instructions, fetching resources from official codebases and their dependencies, so they are the official apps most of the time.

Using Flatseal or the KDE Flatpak permission settings is only needed if you want more privacy, and they are easy to use. The alternative is to not have permissions at all.

Flatpaks are for example very easy to just block internet, if you dont want Opensnitch slowing down your system.

Appimages and Snaps have no GUI ways to restrict permissions.

I’m inclined to agree with this. I think it’s no coincidence there are many immutable distributions coming along as there are some great objective advantages. What I don’t necessarily agree with is the idea that they should be recommended to everyone.

I often have to fix issues for inexperienced users and I can tell you that the issues that result in most frustration are the silliest ones. Flatpaks are still in a place where they have this sort of odd behaviors sometimes when compared to the native package.
What I’m trying to say is that even if we assume that immutable distributions are the way to go, the “traditional” ones are still pretty good option, perhaps even the best option to most people when it comes to balance privacy, security and convenience.

I don’t get all these different linux distro recommendations. When it comes to privacy (and that’s what main goal is), any distribution (yes, even Ubuntu) is way better than mostly used MS/Apple/Google systems (Windows 10/11, OS X, ChromeOS). So in my opinion, there is no need to recommend specific distro for this reason. When it comes to security or anonymity, then there are differences, and users should wisely choose among hundreds of distributions

Current Linux recommendation and overview pages are good, and people can find needed info. Though I would always advise new users to start with some *buntu (LTS) distro (Mint included), even if it’s not according to PG criteria

But I think in (near) future immutable distros (and flatpaks) will become more user friendly and probably the best choice for people new to Linux


Well, we would not, because they follow poor release schedules and cause new users to learn weird Ubuntu/Canonical quirks (like snaps, AppArmor, Unity, and upstart) instead of more open projects (like Flatpaks, SELinux, GNOME, and systemd) other distros like Fedora focus on or pioneer :upside_down_face:

It seems like a classic Canonical move to duplicate a bunch of effort just to later abandon their own project and adopt whatever RedHat is supporting, might as well use a distro that uses technology that will stick around right off the bat.

If security is the main reason to not recommend distributions such as Ubuntu or Mint, remember that the greatest threat to the user’s privacy and security is the user himself. I’m not really sure that picking up a few “bad habits” is really worth excluding easy to use distributions such as Ubuntu, Mint or PopOS.

But in any case this is getting a little off-topic. It seems that most of us here agree that immutable distributions are the way forward for future recommendations in terms of privacy and security. It would be nice to come up with a nice summary of the pros/cons to add that to the recommendations pages.

1 Like

That’s not quite fair. According to Wikipedia at least, all of these Canonical projects are older than their Red Hat equivalents:

  • AppArmor in 1998 vs SELinux in 2000
  • Snap in 2014 vs Flatpak in 2015
  • Unity in 2010 vs GNOME3 in 2011
  • Upstart in 2006 vs systemd in 2010

In fact, Upstart was originally used by Fedora as well, and AppArmor is not an Ubuntu “quirk” but also used in Debian and openSUSE amongst others.