My understanding of atomic distros is that all system updates require a reboot to be applied. Given that it is common for people to rarely reboot their machines, is the real world security of these atomic distros for beginners significantly hampered by this? Or am I missing something?
On regular Fedora Workstation, you can set it to automatically update in the background and everything (except the kernel) will be updated without having to reboot. Sure, if you don’t restart the individual app, the update won’t get applied, but that seems better than requiring an entire system reboot. For things like browsers, where timely security updates are important and where people specifically recommend against installing them as Flatpaks, this seems particularly relevant.
Atomic just means the update won’t complete unless it completes successfully. So if it fails at any point it’ll revert to the previous version and you won’t get any partial updates. I don’t think anything about atomic updates implies you need to restart.
Fedora explained in a previous blog post how a lot of Linux distros don’t restart when they update and how that’s kind of dangerous, and why they do restart for updates.
hm ok, maybe the way I’ve been using my system is not ideal then lol. I use dnf-automatic to install and apply updates in the background and probably only actually reboot every week or two
In my (somewhat limited) experience, if you frequently update without restarting, the atomic distros are actually nicer to use. Because you don’t have to worry about time between update and restart. You do still need to restart before the update will apply. But, because atomic updates are ‘applied in full, or not at all’ there is no risk with not restarting right away, because the update command doesn’t actually update anything, it just downloads and prepares the update which will be applied whenever you restart next.
If you stick with a traditional version of Fedora, a potentially useful command is dnf needs-restarting (as well as dnf needs-restarting --system) these commands can give you more insight into when a restart is required. But realistically, its easier and better just to get in the habit of restarting after updates. Cleanest way to update, quickest way to get the latest packages, and just overall good for digital hygeine in my opinion
This makes a lot of sense. I think if I were installing from scratch, I would go with an atomic distro (probably Bazzite due to how well it seems to handle automatic updates and how nice the defaults are). But I feel like the differences are too small at this point to justify moving from my current install. I’ll probably stop using dnf-automatic though.
But I feel like the differences are too small at this point to justify moving from my current install. I’ll probably stop using dnf-automatic though.
I’d agree. the differences are not worth switching. I waited to switch until I bought new hardware and needed a fresh install regardless. I’m using Bluefin (universal blue), and I like it. I’m still not 100% sure I like it more than traditional Fedora, but I do like it, and have found that quality of life with atomic distros for me today, is much improved compared to 2-3 years ago. I do find Bluefin’s automatic updates, and the ujust scripts to be quite convenient and I like that you can choose different update tracks depending on your preferences. But I also really enjoy the control and flexibility of a traditional distro.
When I first tried atomic distros a couple of years ago, I really disliked the experience. I think too much emphasis is put on not layering packages with rpm-ostree. If you layer a package, you’re in no worse a situation than installing a package in a traditional distro. It may destabilize your system, but it also likely won’t, and at least with atomic you can easily roll back to a prior image. I’ve since modified my systems and workflow to work with only Flatpaks and I now enjoy atomic even more.
As for updating Fedora Workstation, I used to use the offline upgrade feature of dnf. I used it for two reasons:
It’s “safer” and less likely to glitch your system.
With certain VPN providers and implementations, Fedora kills the daemon on an upgrade and doesn’t restart it. This means you will leak your IP address if your update involves your VPN package.
I used:
dnf offline-upgrade download
then:
dnf offline reboot
This will restart the machine and apply the upgrade while offline. You can kill your WiFi if you want for additional leak protection, but I don’t think it should matter. (Someone please correct me on this last point if I’m wrong.)