Why would I care about an immutable distro in Linux?


You wouldn’t unless you are an IT worker in a company. This article is for them.

For a long time, the problem with giving people a desktop was that to keep the desktop secure you had to patch it, virus scan it, and protect it with endpoint protection software. This is expensive and time-consuming. What if instead of giving people a computer as they have at home, you give them a computer that is preconfigured and they don’t need to change anything? If they try to change anything they can’t, or it won’t stay on the next reboot. Is there an advantage to that?

The answer is yes. Some employees are not knowledge workers and don’t need to configure their environment. Some like Frontline staff may only need to have basic functionality which an immutable distro can work very well. It takes the work out of maintaining it since there is nothing to maintain. It is also unlikely that the user will have computer issues since it is tested and controlled. However, even if they do have an issue, replacing their computer or refreshing it is much easier and could be automated.

The assumption in corporate IT is that people should have the same environment that they use at home. Often companies will ask employees if they want a Mac/PC. Increasingly people are being given this choice. Traditionally the IT department approached computer security with a “lockdown” mentality. Let’s lock everything down that they don’t need. An immutable distro flips this assumption on its head. Now companies can ask, what exactly do they need, and why not just give them only what they need?

See also  Verizon Fios alternatives not great where I live

This functionality has been available on Windows/Mac for years via third-party tools. However, those tools can be complicated and not always work as desired. Many Mac administrators were frustrated with Deep Freeze a program that was supposed to do this for the Mac system. It can work, it just takes a little more effort instead of being built in.

Practically speaking given the tight integration between Microsofts online apps like M365 and the OS, it would be impossible I think to have an immutable Windows image. I think the best you could do is to push out a new image every few months. This would be a PITA and more time-consuming than many regular companies would want to experience.

“Hey, you said that you are working in M365 just fine with OpenSuse Linux.” That is true. However, I am not using any locally installed apps. If users can maintain a network connection then conceivably they could do everything online and use an immutable distro of Linux/Windows. If they travel, this might be more problematic but it is not insurmountable.

Now what is also interesting is that Windows 11 enables a feature that refreshes the security policy on Windows 11 Intune-configured computers that may not be connected to a network. In a way, Microsoft is trying to force their computers into a standard which is really implying that they are moving towards this immutable idea themselves. I’m sure that Microsoft would love to be able to containerize and limit the updates and testing that need to be done. I think this is what they are doing.

See also  Stories from my past: I would give you a hug but I don't want you to report me to HR

I foresee that the desktop, server, and everything will be read-only in the future and our ability to configure it will be limited. Windows 11 is already removing functionality, so I think they are just taking away the ability to customize by degrees so that people get used to it. Apple has also taken away the flexibility to customize by not open-sourcing its entire technology stack. They have an open-source part of it, but by providing transparency people will trust it more and incorporate it into Linux. Taking away part of the advantage of the Mac OS.

For me, an immutable distro doesn’t work. I want to tinker and will always tinker with whatever OS enables me to do that.