This is more of a personal dilemma, since I keep finding myself switching back and forth between NixOS and Gentoo every now and then. I’ve done this twice for each so far ever since I immediately started off my Linux journey with Gentoo, making a quick stop at Arch once when I didn’t have enough time to set either of them up properly. Both of them provides a massive amount of control over my system and lets me build my system in weird and interesting ways, e.g. musl, clang, and/or SELinux for Gentoo and impermanence for NixOS (it still kind of blows my mind right now). Personally, I find Gentoo more intuitive, but NixOS is more powerful for managing complex systems, but then again, I don’t have any complex systems to manage, only a singular desktop system. I’d love to keep switching back and forth, but I feel like it has become sort of a time sink for me, somewhat hindering my studies, and thus I feel the need to decide which one to settle on, and which one to keep in a VM to mess around with. That brings me to the title of the post, which do you think is better for a simple desktop system? Also, I don’t know how viable dual booting is, given that I manage my dotfiles almost entirely with home-manager, and I like to have secure boot.

  • chkno@lemmy.ml
    3·
    1 year ago

    I ran Gentoo for ~15 years and then switched to NixOS ~3 years ago. The last straw was Gentoo bug 676264, where I submitted version bump & build fix patches to fix security issues and was ignored for three months.

    In Gentoo, glsa-check only tells you about security vulnerabilities after there’s a portage update that would resolve it. I.e., for those three months, all Gentoo users had a ghostscript with widely-known vulnerabilities and glsa-check was silent about it. I’m not cherry-picking this example—this was one of my first attempts to help be proactive about security updates & found that the process is not fit for purpose. And most fixed vulnerabilities don’t even get GLSA advisories—the advisories have to be created manually. Awhile back, I had made a ‘gentle update’ script that just updated packages glsa-check complained about. It turns out that’s not very useful.

    Contrast this with vulnix, a tool in Nix/NixOS which directly fetches the vulnerability database from nvd.nist.gov (with appropriate polite local caching) and directly checks locally installed software against it. You don’t need the Nix project to do anything for this to Just Work; it’s always comprehensive. I made a NixOS upgrade script that uses vulnix to show me a diff of security issues as it does a channel update. Example output:

    commit ...
Author: <me>
Date:   Sat Jun 17 2023

    New pins for security fixes

    -9.8    CVE-2023-34152  imagemagick
    -7.8    CVE-2023-34153  imagemagick
    -7.5    CVE-2023-32067  c-ares
    -7.5    CVE-2023-28319  curl
    -7.5    CVE-2023-2650   openssl
    -7.5    CVE-2023-2617   opencv
    -7.5    CVE-2023-0464   openssl
    -6.5    CVE-2023-31147  c-ares
    -6.5    CVE-2023-31124  c-ares
    -6.5    CVE-2023-1972   binutils
    -6.4    CVE-2023-31130  c-ares
    -5.9    CVE-2023-32570  dav1d
    -5.9    CVE-2023-28321  curl
    -5.9    CVE-2023-28320  curl
    -5.9    CVE-2023-1255   openssl
    -5.5    CVE-2023-34151  imagemagick
    -5.5    CVE-2023-32324  cups
    -5.3    CVE-2023-0466   openssl
    -5.3    CVE-2023-0465   openssl
    -3.7    CVE-2023-28322  curl

diff --git a/channels b/channels
--- a/channels
+++ b/channels
@@ -8,23 +8,23 @@ [nixos]
 git_repo = https://github.com/NixOS/nixpkgs.git
 git_ref = release-23.05
-git_revision = 3a70dd92993182f8e514700ccf5b1ae9fc8a3b8d
-release_name = nixos-23.05.419.3a70dd92993
-tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.419.3a70dd92993/nixexprs.tar.xz
-tarball_sha256 = 1e3a214cb6b0a221b3fc0f0315bc5fcc981e69fec9cd5d8a9db847c2fae27907
+git_revision = c7ff1b9b95620ce8728c0d7bd501c458e6da9e04
+release_name = nixos-23.05.1092.c7ff1b9b956
+tarball_url = https://releases.nixos.org/nixos/23.05/nixos-23.05.1092.c7ff1b9b956/nixexprs.tar.xz
+tarball_sha256 = 8b32a316eb08c567aa93b6b0e1622b1cc29504bc068e5b1c3af8a9b81dafcd12