I’ve heard of immutable OS’s like Fedora Silverblue. As far as I understand it, this means that “system files” are read-only, and that this is more secure.
What I struggle to understand is, what does that mean in practical terms? How does installing packages or configuring software work, if system files can’t be changed?
Another thing I don’t really understand is what the benefits as an end user? What kinds of things can I do (or can be done by malware or someone else) to my Arch system that couldn’t be done on an immutable system? I get that there’s a security benefit just in that malware can’t change system files – but that is achieved by proper permission management on traditional systems too.
And I understand the benefit of something declarative like NixOS or Guix, which are also immutable. But a lot of OS’s seem to be immutable but not purely declarative. I’m struggling to understand why that’s useful.
Flatpaks really have the added benefit of things just work. Many distros have problems with codecs for example and need to install extra packages to get video working in Firefox. The flatpak version doesn’t require any of this and you can just install and move on with your life. Yes dependencies are “redundant” sometimes but you have the added benefit of a really clean base system without hundreds or thousands of lib or dev packages. Also sometimes you need a specific version of a dependency. Let’s say you need to update it for compatibility with a specific package but that breaks another which needs an older version. The system can stay especially clean when it comes to the toolbox utility and dev environments (this is available in other distros as distrobox I think).