Comment by TacticalCoder
13 hours ago
> Nothing is bug free, and telling people they will never need to upgrade/patch/maintain a system is a well-paved path to compromised systems.
Of course nothing is. But there's a reason projects like "Talos" do exist: no terminal, no SSH, no package manager (how do we like package managers like NPM lately btw?), read-only filesystem, definitely no systemd, etc.
And then a minimal number of executables.
This does, definitely, reduce the attack surface.
I'm not speaking about this Show HN's project but there are such things as systems both more secure and requiring less maintenance than others.
Throwing in the towel and saying: "nothing can ever be 100% secure so we'll always need to patch so we may as well YOLO by accepting npm packages modified 3 minutes ago" is not the way to go forward either.
IncusOS is another - read-only root FS, interactions with the system exclusively through the Incus API, no package manager, blue-green OS updates (à la Steam Deck / Home Assistant OS).
Talos on IncusOS is likely a very interesting stack that I intend to play with hopefully in the near future.
https://linuxcontainers.org/incus-os/docs/main/
> blue-green OS updates
First time I heard someone call it blue-green OS updates instead of A/B OS updates.
Heh fair enough!
Same concept, I guess. I'm a platform engineer / SRE, and blue/green is a more common way of describing that way of deploying applications so I didn't even consider it could have a different name on the OS layer.
How would you say it compares to nixOS?
They are vastly different. Incus is aimed at providing a minimal, immutable Os for the hosting of VMs & containers. nixOS provides a full linux OS that is reproducible and declarative.
1 reply →