Is there anything obviously wrong or bad about the idea to just use whatever distro you like on bare metal. Like rolling release to get the fastest updates or immutable to make it rock solid. And then just use distrobox or toolbx with Debian and maybe Arch to run software your base distro does not provide?
I run Fedora right now but want to switch to something else. I was thinking about Tumbleweed a lot but there is quite a big portion of software which does not ship on Tumbleweed. (Theoretically you could download the .rpm file which quite a few developers provide on and install it on Tumbleweed too? But I am not 100% sure about that so please correct me about that if I’m wrong.) So I thought about Nix but the drama around that distro made me loose interest. Obviously Arch is also an idea but I don’t like my base OS to be a project itself so I’d rather not use it for now.
And yes I thought about installing homebrew or nixpkg or pixi or whatever the name of the next new package manager is. But nearly all of them are only installable by executing a script and I don’t feel comfortable doing that. Would it be safer to run scripts like that in a distrobox/toolbx?
So yeah, my initial question was wether it is viable to just choose any distro and get along with distrobox to get your software from the AUR or through .deb packages. But the question developed if it would be wise to use distrobox to execute random internet scripts without altering your base OS/putting your data to risk.
Just go CachyOS if you can’t be bothered with Arch proper. Running an insecure container layer that brings another whole distro so you can run an app is weird when flatpaks exist for this purpose, and are much better suited for this. Seems like you’re creating a “problem” that doesn’t exist and then coming up with the most complicated way to solve this made up “problem”.
Distrobox solves a great many problems. I use it in Cachy all the time.
Also, I am not sure what security Podman under Distrobox is making worse. Got an example?
You are suggesting Flatpaks for security? Um. Ok.
And how is calling the entire Freedesktop platform just to run an app better than the much more limited dependencies that Distrobox will pull in? And, if I already use Podman, Flatpak is a lot of extra complexity compared to Distrobox.
From the site …
OP said …
I was suggesting a Flatpak from a supported project over a random package from wherever being run as root on their box, yes.
And I just don’t see why I would install another insecure layer that is just going to use Docker/Podman, why not just install Docker/Podman and be done. And for a desktop app installing a Flatpak seems like a better tool than a pod/docker container if you can’t get a native package.
But take signal for example, they only provide a .deb package. The flatpak and the AUR package are only community packaged. And how are flatpaks better suited for this?