This is more of a personal dilemma, since I keep finding myself switching back and forth between NixOS and Gentoo every now and then. I’ve done this twice for each so far ever since I immediately started off my Linux journey with Gentoo, making a quick stop at Arch once when I didn’t have enough time to set either of them up properly. Both of them provides a massive amount of control over my system and lets me build my system in weird and interesting ways, e.g. musl, clang, and/or SELinux for Gentoo and impermanence for NixOS (it still kind of blows my mind right now). Personally, I find Gentoo more intuitive, but NixOS is more powerful for managing complex systems, but then again, I don’t have any complex systems to manage, only a singular desktop system. I’d love to keep switching back and forth, but I feel like it has become sort of a time sink for me, somewhat hindering my studies, and thus I feel the need to decide which one to settle on, and which one to keep in a VM to mess around with. That brings me to the title of the post, which do you think is better for a simple desktop system? Also, I don’t know how viable dual booting is, given that I manage my dotfiles almost entirely with home-manager, and I like to have secure boot.
I ran Gentoo for ~15 years and then switched to NixOS ~3 years ago. The last straw was Gentoo bug 676264, where I submitted version bump & build fix patches to fix security issues and was ignored for three months.
In Gentoo,
glsa-check
only tells you about security vulnerabilities after there’s a portage update that would resolve it. I.e., for those three months, all Gentoo users had a ghostscript with widely-known vulnerabilities and glsa-check was silent about it. I’m not cherry-picking this example—this was one of my first attempts to help be proactive about security updates & found that the process is not fit for purpose. And most fixed vulnerabilities don’t even get GLSA advisories—the advisories have to be created manually. Awhile back, I had made a ‘gentle update’ script that just updated packages glsa-check complained about. It turns out that’s not very useful.Contrast this with vulnix, a tool in Nix/NixOS which directly fetches the vulnerability database from nvd.nist.gov (with appropriate polite local caching) and directly checks locally installed software against it. You don’t need the Nix project to do anything for this to Just Work; it’s always comprehensive. I made a NixOS upgrade script that uses vulnix to show me a diff of security issues as it does a channel update. Example output:
commit ... Author: <me> Date: Sat Jun 17 2023 New pins for security fixes -9.8 CVE-2023-34152 imagemagick -7.8 CVE-2023-34153 imagemagick -7.5 CVE-2023-32067 c-ares -7.5 CVE-2023-28319 curl -7.5 CVE-2023-2650 openssl -7.5 CVE-2023-2617 opencv -7.5 CVE-2023-0464 openssl -6.5 CVE-2023-31147 c-ares -6.5 CVE-2023-31124 c-ares -6.5 CVE-2023-1972 binutils -6.4 CVE-2023-31130 c-ares -5.9 CVE-2023-32570 dav1d -5.9 CVE-2023-28321 curl -5.9 CVE-2023-28320 curl -5.9 CVE-2023-1255 openssl -5.5 CVE-2023-34151 imagemagick -5.5 CVE-2023-32324 cups -5.3 CVE-2023-0466 openssl -5.3 CVE-2023-0465 openssl -3.7 CVE-2023-28322 curl diff --git a/channels b/channels --- a/channels +++ b/channels @@ -8,23 +8,23 @@ [nixos] git_repo = https://github.com/NixOS/nixpkgs.git git_ref = release-23.05 -git_revision = 3a70dd92993182f8e514700ccf5b1ae9fc8a3b8d -release_name = nixos-23.05.419.3a70dd92993 -tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.419.3a70dd92993/nixexprs.tar.xz -tarball_sha256 = 1e3a214cb6b0a221b3fc0f0315bc5fcc981e69fec9cd5d8a9db847c2fae27907 +git_revision = c7ff1b9b95620ce8728c0d7bd501c458e6da9e04 +release_name = nixos-23.05.1092.c7ff1b9b956 +tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.1092.c7ff1b9b956/nixexprs.tar.xz +tarball_sha256 = 8b32a316eb08c567aa93b6b0e1622b1cc29504bc068e5b1c3af8a9b81dafcd12