Episode 771 Transcript

FLOSS-771

Jonathan: This is Floss Weekly, episode 771, recorded Wednesday, February 21st. Kalpa. Because nobody knows what hysteresis is. This week, Dan Lynch joins me, and we talk with Shawn Dunn about Kalpa. That's an immutable, or maybe we should say atomic, desktop. It's part of OpenSUSE, it's downstream from Tumbleweed, and it's carrying the KDE Torch.

Why would you want to run an atomic or immutable desktop? Well, stay tuned to find out.

Hey, welcome to Floss Weekly. That's the show about free, libre, and open source software. I'm your host, Jonathan Bennett. And of course, it is not just me. I've got I've got Method Dan, the man, the Linux outlaw. Hey, how are you today, sir? Hey, I'm good, Jonathan. Good to be back. How are you? I'm, I'm good. I'm thinking I would say I didn't get enough sleep last night because my brain has been on the fritz, but I know I got quite a bit.

Maybe I got too much sleep. Maybe I've not been awake for long enough yet. I don't know. This may be a day for tip of the tongue syndrome where, you know, my, my brain has a train wreck and I can't, I can't remember a word like concrete or abstract while I'm trying to make a point. So bear with us. It may be one of those days where it may not.

I may have worked it all out of my system. I don't know. We haven't hit the right run level quite yet. I guess. Yeah, I'm still, I'm still tricking along on run level two. Some, some weird run level. Ah, well, it is good to have you, sir. And we're going to talk, imagine this. We're gonna talk about Linux today.

We're going to talk about a Linux flavor open over at OpenSUSA. And from what I understand, it's, it's Kalpa Linux, which from what I understand is an immutable KDE distro. Although I don't think immutable is really the right term anymore. Maybe atomic is what, what people prefer. But we've got Sean Dunn to talk about it.

You've, you've been taking a look at, at Kalpa and some of what OpenSUSE is doing. Haven't you, Dan? Yeah, I

Dan: did some research today. I've been going through looking at the many. It's something we'll talk to Sean about the many flavors of immutable distros they've got over there. There's quite a few.

So yeah, I, I had a look at the the stuff that Richard Brown was doing with with he's now doing Aeon. Aeon, I think it is. I'm going to say Aeon. OS as well, which is a kind of sister project to Kelpa. So that should be interesting and I haven't yet really used an immutable Linux distribution.

Everybody I know is into this. It's the hot thing right now. So I think it's good time to maybe jump on board and learn more. Yeah,

Jonathan: I always have this thought in the back of my mind that for those of us that like are programmers and really like to fiddle and go deep sometimes and fiddle with the guts of our operating system is is one of these.

immutable Linux distros for us. And maybe let's ask, let's ask Sean about that. In fact, let's not fiddle around any longer. Let's bring him on. And, Sean, first off, welcome to the show.

Shawn: Thank you. It's nice to be here. So,

Jonathan: let's start with Well, let's start with what all you're involved in. I know, I know Calpa Linux, but like what, where, where in the solar system of Linux do you orbit?

Shawn: Primarily I'm involved just in the OpenSUSE project. I contribute here and there to various other things as they catch my interest. I've been poking at some things for the guys over at Universal Blue. Kind of helping them get ready for Plasma 6 coming with Fedora 40. And in the past I've been involved in a number of other distributions.

Feduntu, Solace I ran CrunchBang for a long time. So, I'm not actually a coder by trade. Most of my career has been in blue collar work. This has been a side project for me and I have more time to dedicate to it now, so. Sure. When When the micro OS desktop became a thing, which was Richard Brown's personal project There's a bunch of stuff in the background that went on, but basically there was nobody that was maintaining a Plasma version of the micro OS desktop.

Okay. So I had the time and I stepped up because I use KDE and I like KDE and the idea of, An immutable or atomic distribution just appealed to me, so. That's how I ended up where I am now. Alright, well

Jonathan: let's, let's start, sort of start there, micro OS, that was, was that the OpenSUSE original sort of atomic desktop approach?

Shawn: So, Micro OS still exists. That is our server offering. That basically acts as a container host. So, a very minimal base system and you do everything as a container workload. Very similar in concept anyway to like Fedora's core OS or I believe Ubuntu's IOT offering is very similar where you're expected to, you know, do everything you need to do in a container of some sort, whether that's Snap or Docker or Podman or whatever containerization you want to use.

Right.

Jonathan: So that's, that's more so what I would consider like a true immutable OS. Yeah.

Shawn: So the desktop came about actually and when I was said earlier that, you know, Aeon is sort of a sister project to Kalpa. It's actually a little different than that. They're actually more of an upstream for Kalpa.

Because I'm taking what Aeon is doing and what Richard and his team are doing and basically just adapting the Plasma desktop to all the work they're doing. I am involved in it. I am not nearly a class of coder as those guys are, so my contributions to making the underlying system work are limited at best.

Understood. So I'm primarily dealing with, with integration and configuration and trying to put together a desktop that we aim to be more, I hate using this as a comparison, but more Chrome OS like in usage where you just install it and use it.

Jonathan: I think for a lot of people though, Chrome OS is going to be the sort of this, the atomic desktop idea.

It's going to be the one that a lot of people have touched. Maybe it is a good example.

Shawn: It's a good example, I just, I It's, it's a browser as an operating system, which I have a Chromebook but you know, it's not an, it's not a bad comparison as far as if you're trying to explain to somebody what, what should you expect if I meet all my design goals, it should be a very Chrome OS like experience.

Yeah.

Jonathan: That makes sense. And so when we talk about Aon and Kpa, one of the things that I've kind of learned is when, when you're talking about the immutable desktop, it's not, it's not a binary or even a trinary. It's, it's a, it's a spectrum between, you know, on one side Mm-Hmm, , you've got your actual immutable installs.

And on the other side you've got, I guess we could call a full fat desktop where you could put whatever you want to on it. You can make whatever change you want to. Mm-Hmm, . And an atomic is somewhere in the middle. Where, where does the, the Aon and the Kalpa, where does it fall on that spectrum?

Shawn: So, part of the big difference between us and for instance Fedora Atomic we don't use RPMOS tree.

We are not image based like Fedora is. Oh, okay. We are pulling from all of the same repositories as OpenSUSE Tumbleweed. Mm hmm. None of our packages are special. Other than the config packages we need to make things happen. So we track Tumbleweed. It is a rolling setup. There's no point releases like you end up with in Infodor Atomic.

And we, rather than using RPM OS tree, we're leveraging the, the ButterFS snapshot system. So when we update, we're going to snapshot your running system. In the background, that snapshot is going to be updated, and then you reboot into the new snapshot. Ah. So, it's a fully atomic update process, because if anything goes wrong in that update process, it just discards the snapshot.

And, this tends to I believe Neil was talking about hysteresis in his, when he was on. Right. It. If you don't install anything into the base system it reduces hysteresis by a great deal. I'm not going to say it eliminates it, because tumbleweed is a moving target. Upstream is going to introduce a certain amount of that, just by the virtue of the way tumbleweed works.

So,

Jonathan: go ahead. Oh, so I'm, I'm, I'm kind of Wrapping my mind around this idea. I assume you have root and home split out so that when you do a rollback, you don't lose files out of home?

Shawn: So, in our setup anyway var user local temp, obviously, and then home are all subvolumes, and those are read write at all times.

So, if you need to do any sort of bind mounts or anything funky, that can be done in var. Your home remains untouched through the snapshotting process. Oh ETC is also read write. Okay. So, your, your configuration files are going to be handled just like it would on Tumbleweed or Leap. You just put them in ETC and, and process like you normally would.

System control doesn't, you know, running your system D services doesn't require any special anything. You, you treat it just like a Tumbleweed system. Makes sense. The one area where we do greatly differ from from Fedora, for instance we don't really encourage the idea of layering of RPMs into the system route.

We are all in on using Flatpak for your desktop applications primarily because that does reduce the chance that you're going to end up with instability in the core. So, our rule sort of is, the only RPMs you should be installing into the system base are going to be driver related. If you've got an NVIDIA card that you need the proprietary drivers for, obviously those need to go in the system root.

The install of shame. Network cards. Yeah, whatever it is you've got that, that, that I would qualify as a driver that needs to talk to the kernel like that, that obviously needs to be in the system root. But we really try to dissuade our users from trying to treat the system like you would Tumbleweed.

If you would like to be that user that tweaks every last square inch of your system. And Tumbleweed is still there. It's not going anywhere.

Jonathan: Yeah, I can, I can imagine there's, there's a pop up somewhere. You know, someone installs a bunch of RPMs. Okay. It's sort of in the, in the vein of Microsoft Libby.

Hey there, we see that you're installing a lot of RPMs. Yeah. Would you like to try Tumbleweed?

Shawn: It doesn't exist yet, but don't think I haven't thought about writing something like that. That's

Jonathan: fun. That would be a lot of fun. You could have a lot of fun with that.

Shawn: I mean, for instance, with CALPA your primary interaction for finding software is going to be through KDE's Discover app. Right. And that does not interact with RPMs at all on CALPA or GNOME software on Aon as a comparison.

All it handles is flatbacks.

Jonathan: And we're sort of at the point where just about everything you'd need is available as a Flatpak.

Shawn: Pretty much. There's a few, a little bit of stuff here and there, like for instance, Kate is still in the early testing phases upstream. They have not released it on FlatHub yet.

And I know a lot of people that use KDE like Kate, and I don't personally use it, but I understand that's a very important package to a lot of KDE users. Right. And actually at the moment the install image includes the K8 RPM as part of the base image because flat up can't provide it. There

Jonathan: you go.

So this is going to be a little bit of a trolly question. Not entirely though. There's, it's, it's a pass here. Have you thought about adding support for snap?

Shawn: No, the simple fact is I can't, Oh, really? Snaps are not in the official repositories for OpenSUSE. Oh, well, okay. I suppose. Yeah, that's true.

And to be a to be an official OpenSUSE product, everything you install has to be in. The OSS or non OSS repos. Right. And because of the kernel level patches that need to happen Snapd does not pass OpenSUSE Security Team's stamp of approval.

Jonathan: Aha. This is something that doesn't get talked about a whole lot, but there are some outstanding kernel patches for, for Snap to actually run.

Sandboxed the way it's supposed to there's there's some kernel stuff that still needs worked on and I guess the Ubuntu guys have just kind of They it's like they put the code out there and and then it works. Yeah, so

Shawn: You can install snapd on open SUSE You do have to enable a third. It's not a third party repo, but a development repo but you are basically running into unsecured sandboxes because The kernel patches aren't there.

Yeah. So, we absolutely do not encourage people on OpenSUSE right now to use snaps. You know, if snaps are important to you and part of your workflow, I highly encourage you to pick an Ubuntu, whichever desktop you like, there's nothing wrong with them, go for it.

Jonathan: That's almost a controversial statement these days, that there's nothing wrong with Ubuntu.

Depending on which forums and Facebook groups you're in and read.

Shawn: That's very true. I, I don't like to criticize other people's work. I, I know how much work can go into getting things going and they just have a different idea of how to do it and maybe it works, maybe it doesn't. I, I don't have personally have a real strong opinion about snap versus

Jonathan: flatback.

Calpa probably runs with SELinux enabled, is, is that, that's a thing that OpenSUSA does, right?

Shawn: Yes, all of the the micro OS based OpenSUSA offerings are SELinux based. Okay.

Jonathan: I've, I've done some reading that apparently Snap, to get, to actually work the way it's supposed to, it requires AppArmor. And SELinux and AppArmor sometimes don't play well together, maybe as, that, that may be as strong as you cannot turn both of them on at the same time.

Shawn: I believe that's true. I've not tried it or looked into it. Currently Tumbleweed as shipped still uses AppArmor. They have not enabled SELinux yet. Oh, really? You can turn it on yourself as a user if you wish to. I do not. But I believe that that is true that if you try and enable AppArmor and SELinux at the same time Things get very unhappy that

Jonathan: that sort of makes sense.

I mean, you know, that's been my experience in in my also years of trying to help people with their Windows boxes, you know, if you have Norton and Symantec at the same time that Windows box is gonna be real unhappy with life

Shawn: Yeah and that is one of the the development targets that we are still working on so Due to being based on Micro os.

Our SE Linux policies as currently written are sort of focused more on a a server workload. We do have a couple of guys that are working on writing a more desktop focused SE Linux policy that we will be able to track. Like right now for instance, if you want to use the Steam flat pack and run any proton games, you have to do, so a couple of manual SE Linux over or.

Yeah, SEMNX overrides. It's not ideal, but it's where we're at at the moment. It's part of the reason why the why the, neither Aeon nor Calpa have. Decided to declare themselves stable or ready to release

Jonathan: Yeah,

Dan: it does make sense so so Sean you're clearly a KDE guy which which is interesting I what it seems to me as though SUSE or OpenSUSE kind of really pushed the Gnome side of things Is that fair to say and what's the reason behind that and how do you get more

Shawn: people into your neck of the woods?

Here's part of the issue with it is

Sousa, the corporation, which produces Sousa Linux Enterprise doesn't actually have, there are no paid Sousa employees that their job is to work on open Sousa. That's a common misconception. I see people say it all the time. Why doesn't Sousa have open Sousa do this? Because that's not how the development model works.

But because SUSE Linux Enterprise does default to the GNOME desktop, I believe it's actually the only one they offer for installation if you want to run Enterprise SUSE. It gets more attention. There are more active developers. All of the SUSE employees that work on OpenSUSE, they're doing it as volunteers in their free time.

There's nobody up at the corporate level that is saying, you know, you, you work on gnome unless they work for SUSE and part of their job description is you work on gnome for the enterprise project or for the enterprise product. Part of that does come back to I don't know how familiar you guys are with some of the history of SUSE.

At one point it was owned, owned by Novell and Neil touched on this a little bit, I believe. And I believe he might have said the unholy marriage of Zimian and

Jonathan: Novell may have passed his lips.

Shawn: Yes. Yeah. Yeah. And at the time that was sort of Novell made the decision, you know, gnome is the Desktop that we're going to chase for the enterprise product product, which it's really funny depending on where you go on the internet Sousa is alternatively known as a KDE distro by some parts of the community.

It's known as a gnome distro by others. And I think part of that comes from when you got into the project and first installed it. Makes sense. Bye. I mean, it is hard for internet lore to die sometimes.

Dan: That's very true. It's strange because when I, I, Sousa was the first Linux distribution I ever used about 20 something years ago.

And it was KDE then. I'm sure it was KDE when I used it. It was 2002, something like that. I think around 2001 when I started with it. So that's very cool. So how many people are working on Culper? Is it, is it mainly yourself or is there a team

Shawn: behind it? At the moment, I've got myself as the primary developer and I have two other people that contribute pretty regularly as needed.

I would be extremely happy to have more help. But, it's open source, you kind of, you always end up with with more more users than you do have people doing the work.

I mean, I've, I've been around Linux since the late nineties and that's held true in every project I've been involved in. And to be fair, KDE is a big unwieldy beast with lots of switches to flip and lots of places. I mean, I, I think the current 6. 0 release if you installed everything from frameworks from gear.

You know, install the entire suite. I think it's something like 450 packages.

Jonathan: Yeah,

Shawn: sounds about right. One of the very nice parts about our setup is I'm not maintaining KDE by myself. Because I'm using the same package as the Tumbleweed does. The OpenSUSE KDE team, which I believe is Five to seven people are actively maintaining KDE.

So I don't necessarily have to take on that, that workload. So I'm inheriting development from other parts of the project, which does reduce the workload a great deal on the actual desktop development of

Dan: Calpa.

Shawn: Makes sense. Most of what I end up doing is. Playing with the configs. For instance, one of the issues right now is SDDM, which we're still using as the display manager.

Because of the read only nature of user, you can't change the theme in SDDM. Not easily. It can be done, but you've got to do some, I'll call them unblessed things in the system root to install different themes in SDDM.

Dan: You got it. Yeah. Sacrifice a goat or something.

Shawn: Yeah. So that's one of the things that's on my list of things to fix.

I may need upstream help. I may be able to do some bind mounts out of var in my own configs. It's just one of those peculiarities you run into where upstream expects USR user share to be read write at all times.

Jonathan: And SDDM is about to come, become an official KDE project, isn't it? It seems like there's some yeah, I

Shawn: believe I just saw something about that this morning over in the Fedora KDE chat on Matrix.

It looks like for 6. 1, they are planning on incubating SDDM as an official KDE project. I,

Jonathan: I'm hopeful that that will For one, make life easier for you, and also fix some of the weird things around the the login manager that the rest of us have. I, I've got, I've got a display that's, you know, rotated 90 degrees so that I have it portrait format.

And SD, I think it's SDDM that's running on the machine behind me. It is not like that. It does not know what to do with that. It has no concept of a rotated display. So I'm, I'm hoping that having this sort of as, as part of KDE we'll get some of these bugs fixed.

Shawn: So to be fair, the the machine I'm doing the interview from at the moment is actually running Aeon, which is GNOME.

GDM has no idea what to do with a rotated display either. Because I've got this display in portrait mode and GDM is sideways. Yeah. Yeah, that figures. And actually you know, like for instance, I've got my my, my main workstation. It's a laptop plugged into a USB C dock with two displays, one of them in a portrait configuration.

Not everything works. It does once I get into the desktop, but it took some fiddling because you've got so many different things in the, in the, in the graphics chain doing that. That, you know, it's, it's not as simple as, Oh, I have a machine and I just plug the display into the graphics card.

Dan: So, so Sean, I noticed that you don't ship a firewall.

With your distribution now, is that something to do with the nature of of the is that fair or is that something that you do is something to do with the nature of the containerized atomic desktop that you maybe don't

Shawn: need that level? So this has actually been brought up. It was it's been a great point of contention on the open source of forums in a couple of threads.

People insisting that we're doing something dangerous by not shipping a firewall. So if you are using Calpa as intended, the only service that is running and exposed to the outside world on by default is the SSH daemon. Port 22 is the only port. And everything else should be handled by your Podman container networking.

Everything's limited through there. There's no need to have Firewall D sitting in front of the Podman networking setup because you shouldn't be exposing any ports that you don't actually want to serve out to the world on. Additionally, part of the reason is we don't intend people to be doing the mixed use thing.

If you want to run a web server and serve it out to the world. Neither Aion or Calpa, that's not the use case that we're intending for them. You can do it. We won't stop you. It's your machine. Do whatever you want. But it's not an intended use case in our design goal. If you want to do that, we have the micro OS server product.

We Tumbleweed and or Leap if you prefer a stable release. Which do include a firewall, because that's what everybody's used to. But, if you don't fire up a container and expose the ports in the container, there's nothing, there's no attack vector. What are you going to connect

Jonathan: to? That makes sense. Yeah, and it's not like it's hard to go into your SSH config and tell SSH that you really don't want it to allow connections from the outside world.

No, it's not. I suppose that's fair, it's just, it, It makes everybody itchy to think that I'm running without a firewall.

Shawn: It does and I Don't know if I necessarily blame blame Microsoft for that one. I know they catch a lot of hate for a lot of things. Yeah but a Firewall is not a magic bullet that protects you from everything, especially if it's poorly configured.

Yeah one of the things that has continually been brought up is so Fedora Atomic does ship Firewall D in their default form. As far as I know, all of their Atomic offerings, the trick is if you go look at their firewall config, the firewall is not doing anything. It's there, right? So. Yes, we have a firewall, but the default config, it's not actually stopping anything.

Jonathan: In the same vein, I am sure that you ship a firewall in that the firewall modules are there in the kernel, just may not have an easy to grab program like firewalld to configure it. Yeah,

Shawn: our kernel is identical to the kernel that Tumbleweed ships, to the best of my knowledge. We are not, we don't patch the kernel in any special way for the the quote unquote immutable offerings in OpenSUSA.

Jonathan: Yeah, I think I would be more concerned about kernel patching than I am about the lack of a firewall. Like, when you actually get down to it, some weird kernel patch is probably more dangerous Running without a firewall, the way that system is set up.

Shawn: I, I mean, I'm far more concerned, honestly, from a security perspective, on a desktop machine.

People grabbing random pastes from webpages that invoke sudo and a shell script to install things. Yes, that's just insane to me that somebody would just, Oh, I'll just copy and paste this and go on my merry way.

Jonathan: Yeah, in the various forums, the places where I write or present, I've tried over and over again to tell people, no, no, if you find a place where you think this is what you need to do, copy it.

Paste it into KWRITE, paste it into Notepad, what have you. Because first off, there's no guarantee that what the website says you just copied is what you actually copied. I know enough JavaScript to know that. Secondly, you need to look at that closely before you run it on your machine. Yes. If you don't understand what something in there is doing, don't run it on your machine.

Shawn: Yes. And, you know, that's something that has come up repeatedly in various places, not just in OpenSUSE. The, I, I've heard the and seen many discussions. Well, how do I know that I can trust the Flatpak developers? I trust the distribution packagers. That's a fair

Jonathan: question, actually.

Shawn: It's a fair question.

So far I don't personally see any major issues with open source software on Flathub. Their GitHub is very transparent about how the things are built and where the sources are coming from. Anybody can go to their GitHub and look at their build documents and see what's being built. Proprietary software, you know, I, pick your poison.

Yeah, I, I have Discord installed on this machine from Flathub. It is built from a proprietary piece of software I can't see the source of. Do I trust Discord or not? I don't know. But, it, it, it, cause my, my question always comes back to, because I do a lot of packaging of various things how do you know you can trust me?

I'm just some guy on the internet. Just because I managed to get it accepted into the official OpenSUSE of REPOs doesn't necessarily mean I know what I'm doing.

Jonathan: Yeah, that, it's an interesting question. I, I think. Part of the reason it well, I would say honestly part of the reason is because you've you've got a name like you your name Is public you show up on a podcast like this people actually have an idea of who you are You're not jrandom developer.

You're not you're not mr. Anonymous from nowhere Yeah, and That kind of leads into something else I was thinking about Docker images There are, there are malicious docker images out there. In fact, there's a bunch of them. It's, it's kind of mind boggling how many docker images have, let's say, a Bitcoin miner built into them.

And there's not much that Kalpa can do about that, is there?

Shawn: No, there's not. Other than and I will fully apologize right now. I am not the most knowledgeable guy in the world about containers. Other than what security is in Podman itself to stop malicious actors from doing something weird with a container.

Right. There's nothing else we can do about it. Yeah.

Jonathan: Other than try to educate people. Yes. Be careful which, be careful which Docker image you download. Because anyone, anyone can and they do upload to Docker Hub.

Shawn: Yeah. And you know, we much like the the Fedora Atomic setups we do leverage containers for, you know, if you're a guy that likes to do everything in shell we ship distro box by default with the pod man.

And we have put together our own tumbleweed based images for that use. So if you just type distro box, enter, it's going to pull a tumbleweed container. from registry. opensusa. org. And then you can do whatever you need to do in there. I believe the Fedora atomics are all still using toolbox. Similar, but, you know, a little, a little different distro box tends to be a little more flexible.

In that it makes it very easy. I, if for whatever reason you feel you need a new boon to container to do something, a boon to specific or arch or whatever distro box makes that a little easier to pull down other people's containers than toolbox does. Has there, has there been any,

Jonathan: when it comes to, when it comes to Docker, has anybody thought about limiting the, what's available to just the Docker official images?

Like, is there a way to do that? Because I know Docker has, Docker has this project where it's like, these are the curated Docker images that, these are the ones that we actually put our stamp of approval on. I think it might be interested, interesting to, to have some way, I don't know about limiting a user to those, but strongly encourage making it much easier.

I guess that would be the way to go about it. Making it much easier to download one of those and more difficult to download just like random Docker images.

Shawn: I have actually not seen any discussion about that, but I'm, I, I just added it to my little notepad to, you know,

did just release an update to how they're doing verification which is a very similar sort of thing that, that, that Docker could be doing. Or anybody that's running an OCI container registry, really. It doesn't necessarily have to be Docker themselves. They just happen to be the biggest repository of OCI images out there, as far as I know.

It's an interesting question I hadn't considered, honestly. It seems to me that that would absolutely be a worthwhile pursuit to have some sort of verification that, you know, hey, this This container is not going to eat your hard drive and steal your lunch money. Yeah.

Jonathan: You know, that's, it's, it's an issue that's really become a thing on a lot of different sort of open source repositories.

Not as far as I know, not any of the distros like I don't think it's been a problem on a distro packages, at least not very often, but places like Docker hub, Places like the, the, the Python registry PyPy The, the Node. js registry, I can't remember the acronym at the moment, but they, they all have this problem of, Well, the, the things that really happen are either, You get a new maintainer that was not entirely honest When they took over maintainership of a project, Or you get typo squatted, where a project has the word color in it and someone goes and grabs a new project that's the same thing except the other spelling of color, and they'll get thousands and thousands of downloads, and they do, they do terrible things on people's computers.

It's a, it's a, like, it's, it's one of the problems that open source is trying to deal with right now, kind of as a whole.

Shawn: Yeah, you know, and sort of, You get back into that argument if you look at, for instance, the iOS versus Android ecosystem. Apple, for good or for ill, maintains their App Store with what I would consider a Stalin like level of control.

Whereas the Play Store on Android There's been some pretty ugly malware that has come through that thing over the years. I believe that Google has taken steps to help ameliorate that. But, it's sort of the nature of open repositories. I mean I can tell you if you get something from the OSS and or non OSS repos in the case of OpenSUSE we don't like patching unless we absolutely have to.

And if you've patched upstream sources, you need to have a reason for it, or it will get rejected, right? You know, I, I don't like the way upstream does it is not a good enough reason to be issuing patches. You need to be talking to upstream and getting them to fix it. Right. You know, most of our patches deal with RPAM deconfiguration is slightly different than say Fedora or Debian.

So yes, sometimes we have to patch for that, or, you know, it's, it's functional stuff and not design choices. Yeah, makes sense. And I do appreciate that, that Flathub in particular is. You know, focused on trying to get the upstream projects to be the ones that publish on FlatHub. I know there's a lot of third party stuff on there for various reasons, but A lot of it over the course of Flathub existing has gone back upstream where they've gotten together with the developers.

And now it is the developers that are publishing on Flathub, which is a good

Jonathan: thing. And, and ideally baked right into their continuous integration where they're, you know, they're on GitHub or GitLab, whatever. And they finally say, all right, you know, check in the change. It changes the version number that kicks off all of the, all of the, the build scripts.

And one of those build scripts is just, all right. Build a flat pack, push it out the Flathub. Like that's, that's the way to do it if you can. The,

Shawn: KDE Upstream has been working hard on that. And you know, if you'd asked me a year ago, the KDE presence on Flathub was not what it is now. But it's getting much better.

I believe all of the actively maintained stuff in gear is going to be there in the next year. Yeah, like, you know, I discussed a little earlier, I, Kate being one that is still in a testing process partially because of the the, the language server back end. It's a little problematic. Kmail and the comp, the, the, the PIM suite.

I've had issues with it in a flat pack because of Akinati. Other people have reported it works fine for them but that was true even if you were installing from RPM or DEB or whatever. That, that particular software suite I've always had various problems with it. Other people have reported it works fine.

Mm hmm. So, your mileage may vary. Yeah,

Jonathan: it's weird when that happens with applications, but it does. Yes. Let's see. So one of the other things we kind of touched on is Podman. And that actually surprised me a little bit that I know the Fedora stuff use Podman. I'm quite, quite well acquainted with that.

I've worked with it and fought with it a time or two. I did not know that the OpenSUSE sort of ecosystem was around Podman. Do you know, do you know why that is? Why they use Podman instead of Docker?

Shawn: First and foremost, because Podman does not require elevated privileges. Your standard, if you just want to install a container in Podman, you can do it as a user.

You don't need sudo, you don't need to set up anything, any escalated privileges to use it. I believe Docker is able to do that now to some extent, but that wasn't always the case. You were launching your containers as an elevated, with elevated privileges. Interesting. Whereas with with Podman, it was designed from the, the word go and I, I, I don't know any of the Podman developers directly but I believe that was one of their design goals was being able to run your containers as an unprivileged user, which from a security perspective, makes a lot of sense.

Unprivileged account firing the container off, there's only so much stuff that can get access to, right?

Jonathan: Which is probably what you want. Okay. Yes, probably what you want,

Shawn: And you know, I, I have been playing around with a little bit Podman now has Quadlets, which is sort of their take on what Docker Compose does.

I find it much less opaque than Docker, than Docker Compose. I should have to look into that. I highly encourage anybody that that, that is using a distro that ships Podman or is interested in Podman, have a look at Quadlets. They're pretty trick. They integrate with Systemd really well and simplify your containerized workloads, really, you know, especially in a server environment.

Yeah,

Jonathan: absolutely. I'm gonna let Dan jump in and ask about Project Greybeard. And then I'm gonna take it back. And we'll talk about maybe some Weyland stuff. But Dan, take it away.

Shawn: Yeah,

Dan: sure. Well the question's fairly obvious, actually. So I wanna know, what is Project Greybeard? And what does it do?

And what

Shawn: can you tell us about it? Is based on micro OS, just as I go on CalPAR. It is outside the open SUSE umbrella. It is not an official open SUSE project. Partially just due to it's meant to break things. It's meant to have some very highly opinionated ideas about how things work. And obviously it is the Sway desktop running on top of a micro OS base.

Ah, alright. So it is a, you know, obviously a, a, a tiling compositor. And it's meant to be much more bare bones. It installs, I, at the moment, I believe, the last time I checked the patterns, you basically, you get Firefox. As a default install, and that's it as far as graphical applications go. Hmm. So, It is outside of the OpenSUSE umbrella partially because, And, this sounds like a terrible way to put it, but I don't know another way to put it.

There's, No, community surrounding it so much to be able to say, we want it to do this. We want it to do that. This is purely developer driven, sort of based on what we want. Partially, you know, I, I, I would say, honestly, it's a little bit of a reaction to developer burnout where you do get. Everybody and their dog telling you how you should be doing it.

I, you know, yeah.

Dan: So who's the user base for this

Shawn: then? At the moment, I believe it's Richard and me. Okay. You know, we have not advertised this thing out. In fact, this podcast is probably the first time that it's really been talked about in public. Oh, wow. Big announcement. Yeah, but it is also not necessarily tied to

Because we're not trying to ship it as an official OpenSUSA product. We don't necessarily have to run things by the OpenSUSA security team. Or by legal or whoever else, cause you know, good, bad or otherwise OpenSUSA is in the same boat as Fedora. We are tied to a corporation which has its, its pluses and its minuses.

I'm sure you can, you can both recall the absolute uproar when when Fedora decided to pull the codex from Mesa. Because they were worried about potential luck. Yeah, and OpenSUSA did the same thing. So, we aren't necessarily bound to follow what OpenSUSA is doing. If we see Ubuntu, or Clear Linux, or Solace, or somebody doing something that we can't necessarily do in OpenSUSE officially, we can do it in Greybeard and see what happens.

I would compare Greybeard a little more towards something like Universal Blue, honestly. Different goals, but sort of working outside of The the official repositories to put something together. You know, the the Universal Blue guys, obviously they do work closely with Fedora, but they're not necessarily bound by what Fedora wants to do if they don't want to.

Which can be advantageous when you're, you know, throwing stuff at the wall and seeing what sticks. Yeah, makes sense.

Jonathan: Yeah, for

Dan: sure. So, talk to me a bit about Sway, because I've never used Sway. Am I right in thinking it's a Wayland tiling window manager? Is that anywhere near

Shawn: close? It is, and it is Wayland only.

There is no X11 version. So, are you familiar with i3? Ah, okay, yeah. A little bit. So, in usage, you can actually take your i3 configs Drop it right into sway and everything works. The, the, the configuration and the usage is almost identical to I three. It is just Wayland only instead of, instead of offering x Ah, cool.

So, and I believe, don't quote me on this. I believe the Sue developers are one of the primary drivers of the WL roots compositors. Which I believe everybody except for KDE and GNOME are primarily basing their compositors off of. KWin, Wayland is WLRoots compatible in most ways. Mutter on the other hand GNOME's doing what GNOME does, their own thing.

Jonathan: As they do.

Shawn: I can't speak for Gnome. So yeah, Graybeard is very amorphous at the moment and sort of intended more for a development playground. We it does not use a display manager. It's very rough. We aren't too worried about it being pretty. We're not trying to ship a finished desktop product. It's more, like I said, a playground to play with the the immutable design and the container workloads and sort of move fast and break things.

Jonathan: Yeah. I did want to ask though, you've got one Wayland playground that you're playing in, and I'm curious with Kalpa, and I guess with all of OpenSUSE at Tumbleweed, what's the story with KDE Wayland there? Is there still KDE X11? Okay,

Shawn: there is still KDX 11 due to the development model of having to support Open Susa Leap.

Mm-Hmm, X 11 is not going anywhere anytime soon. Ah it's a, I don't know if I really have the time to explain how the development model works and how that versioning breaks out, but anything that is in leap. Has to be in the official repositories, the OSS repositories. Okay. So, as long as Leap is still shipping Plasma 5, X11 is going to remain.

And the KDE team has We are shipping both Plasma I'm sorry, Waveland and X11 sessions for Plasma 6. I can tell you that when Plasma 6 comes to CALPA, there will be no X11 session by default. Okay. Users that wish to have X11 can install it. That will be a supported configuration, it's just going to default to Wayland.

Yeah, there you go. I, I don't personally see any reason to keep dragging X11 along. Oh. Oh. Oh. Oh. I understand NVIDIA users and some very special use cases still need X11 for things and that is still going to be available if you use Calpa. I don't believe the X11 session in Aeon is going anywhere, but they also default to Wayland.

But there has been no talk as far as I'm aware of within OpenSUSE as a project. To say, no, we're, we're, we're dropping X11.

Jonathan: I mean, there's coming a time, and I sort of think that it's going to be here pretty soon. That X11 is, is really, and maybe we're there already, is for all intents and purposes, unmaintained.

And I, I, I'm personally of the opinion that we need some, some people running distros to sort of wake up to that reality. It was not very long ago that someone discovered, and it got fixed, to X11's credit, it got fixed, but like a 37 year old critical security bug in X11. Mm hmm.

Shawn: X11 has been on live support for a decade, basically.

Yes. Everybody that used to work on X11, they're Wayland developers now. And the only work that I'm aware of that's actually happening on X11, other than secure, you know, security backpatches, is in XWayland. Right. The, the, the stand alone X server itself, nobody's touching that. Which you know, I suppose to, on some level, is a testament to the fact that it works.

They haven't needed to touch it. Yeah. Mm. Bye. It's, it's a, it's a display server model intended for a different age that was sort of tortured into being what it is. Yes. You know, it, it was the tool they had to work with at the time coming out of, I believe it was project Athena way back in the eighties.

It's just not it's a dead development tree, basically. Yeah. And the way the developers, the ex, the ex org developers realized this a decade ago, and were like, we're just, we're moving on, we're gonna start over. And that's not to say that Wayland is perfect. It's where we're going.

Jonathan: So I was just thinking about asking this question.

I've got, I've got sort of another thought. There, now you're back. I've got sort of, I've got sort of another thought that goes along with this. Let's, let's touch on that first. RHEL 7 is just about to end production support and enter extended support. And I've, I've heard some murmurings that when that transition happens, X11 is basically going to lose the last of its paid developers that actually cares about security bug fixes.

I don't know, maybe that's going to be a real important date when that happens.

Shawn: I, I don't have any visibility into that part of the world. But, that wouldn't surprise me. I mean, I can tell you from anecdotal personal experience, and sort of being around the SUSE Enterprise product just by osmosis, but from being an open SUSE member.

There are absolutely people companies still paying for long term support for like SUSE Linux 10 and SUSE Linux 11 and yeah, I don't believe either of those ever shipped Wayland to begin with, but I also don't believe that any of those clients paying for that long term support are desktop, right?

Interested in desktop in any way, shape, or form. They're running servers. They don't care about a display server. So, yeah, once the enterprise has moved on, and if RHEL is the one that drives that, yeah, I absolutely agree that your paid development on X11 is absolutely going to fall by the wayside.

Jonathan: Yeah, so you you kind of alluded to something just a second ago, and I'm curious your thoughts on it It sounds like you watch some Weyland development as it happens which Watching development as it happens is sometimes scary But it sounded like you have, you have thoughts and opinions on that, like, Oh, I don't know the the, the difficulty with which it is to get something as simple as setting a program icon in Weyland.

Shawn: I mean, one of them, and it's, it's part of the reason why I do prefer sort of what KDE has chosen to do with their Weyland support versus what GNOME has done with theirs. I, I, I don't mean to criticize the GNOME developers, but I absolutely do not understand their hardcore opposition to setting server side decorations for Windows.

That one baffles me, but they have their reasons and you know, I'll be completely honest, There are times when I look at GNOME's development model and sort of their stubbornness and kind of their clarity of vision to be like, No, this is how we're going to do it. You can come with us or not. Cause I think there is some value in software projects being able to do that.

Sure. It certainly makes them unloved in certain corners of the internet. I don't think anybody likes being told no but it does bring up challenges as somebody that is developing a KDE based desktop. Depending on how deep you want to get in the weeds, you can make the Plasma desktop be basically anything you want.

Which makes it incredibly difficult to support at times.

Jonathan: Yeah, I can see that. Makes sense.

Shawn: And that goes for Linux in general. You know, when you've got the freedom to do anything, it can lead you to some interesting places and some very strange bugs.

Jonathan: Yes. What's the What's the, the, the law that, you know, if there's two ways to do something, one of them's right and one of them's wrong, someone will inevitably come along and do it the wrong way.

It's not Poe's law, it's not Moore's law, but it's one, it's one of those laws that I think it, I think originally originated from rocketry, actually. Someone installed sensors the wrong way. We kind of, we kind of get that in Linux and in the Linux desktop, someone will inevitably come along and put this in wrong.

Shawn: You know, I, but. Sort of, you know, vis a vis coming rolling back around to Wayland and X11 good, bad or otherwise, it's a similar issue to, you know, when system D came around. I understand there are still distributions that For their various reasons, don't use SystemD. Slackware still doesn't and, you know, they, they, they're doing fine for, you know, for what Slackware is.

Things change from a case, progress happens. I wouldn't say that, for instance, SystemD slash PulseAudio slash PipeWire. Pick your controversial software choice. None of them were perfect, but neither were the ones, what came before. You know, it, it, I, when SystemD made its way into OpenSUSE at the time, I hated it.

Partially because, you know, I, I had just been involved in Linux and I was used to using the old sysv init. . Mm-Hmm. . And yeah. There, there's still the occasional thing that bugs me about the way system D does things. Sure. Depending on which part of system D you're using, but you know, you, you learn and you move on.

Yeah. Because do I want to take on all of the development overhead for an entire in IT system, just so I don't have to use system D? No. No, I don't. . Nobody's saying

Jonathan: does.

All right, let's we are, we are running out of time. It has been a great discussion. Let's get into some final questions. And one of the things we for sure wanted to ask about is, When is Kalpa gonna be, when is it gonna be done? No, when is it gonna be stable?

Shawn: Yeah, so if you go look at the, at the, at our, the Mastodon that I linked that's sort of the official news source for Calper related things. I, there's some pinned posts that line out a little bit of this. One of the issues we've got right now is OpenSUSE I don't know how much you guys are, have interacted with it in the past Yast and the Yast installer or whatever.

going away. They're not gone but that development has stagnated and the upstream project OpenSUSE is working on a new installer called Agama. We aren't actually going to be using that for Aon and Kalpa. Richard and his team are currently working on our installer. But one of the issues is, for instance, Aion uses Gnome initial setup, which on first boot, that's where you set up your username.

It sets up your home you sign into your online accounts, et cetera, et cetera. Plasma currently does not offer anything like that. It's something that's been discussed with the Plasma developers. It's something that I'm working on, on writing. But At the moment, that needs to happen before I'm willing to move it out of, closer to a release.

Sure. There's a few other minor issues there and quality of life things that I have to touch up. One of the things that I would like to get working is the ability to set SDDM themes before I say it's stable. Sure. So You're going to see at the moment, Calpa is, is officially an alpha release.

You will see it move to beta when our new installer comes out. I kind of have to wait because Aon is my upstream for this. Once they get it sorted out, and then I can do what I need to do to get it to work for Calpa. I'm going to move the project from alpha to beta. Release, I mean, I don't want to commit myself to a timeline because somebody will inevitably pop up when I said it was going to be ready and say, Hey, you said it was going to be ready, but I would expect that I could have it ready to go in the next 12 to 18 months as far as a stable release where I can say,

It's good. We're good to go. Yeah. Mm-Hmm. . Very cool. 'cause I, I do know that right now if you install Kpa with the current installation media, it is not guaranteed that we have an upgrade path from what currently gets installed to what will happen with the new installer. Richard and his development team have been working on that.

There is a non zero chance that moving to the new setup will require reinstall. I just, I can't answer that question yet. Sure. All

Jonathan: right. So, there's, there's So There's a couple of questions I, I love to, I love to ask folks before we let them go. And one of the ones that is the most fun is, what's the weirdest or most surprising thing that someone has done with this project?

What's the weirdest thing you've heard of that someone has done with Kalpa?

Shawn: The one that keeps popping up. And I'm not entirely certain, well, I know why they're doing it. But, is torturing the Nix package manager into playing nice with an immutable root. Cause, depending on how you want to define Nix it's immutable in it's own way. So, basically, you've got two different philosophies trying to argue with each other, and there have been some really interesting hacks to get this to work.

I will say it is not officially supported. If you try to do this, you're on your own. I'm not going to fix your bugs. But yeah, some of the, the, the If you go back and poke around the internet and look at some of the things they've had to do to get Nix to play nice with a, I'm like, wow, that's an awful lot of work.

Jonathan: You know is there, is there anything that you really wanted to cover real quick that we, we didn't manage to ask you about?

Shawn: So one of the things I would kind of like to, you know, since I have a a soapbox to stand on here isn't directly related to Calpa, but it is related to OpenSUSA as a project.

Sure. Various other I don't know what you I'll call them media outlets. The project has not been the greatest at communicating all the time with what they're doing. I don't know if either of you have heard of ALP. I read

Dan: about it today.

Shawn: Yeah. So it's bouncing around. Reddit is terrible for it.

Any number of other places. ALP came up and at some point, somebody decided that ALP means. Everything in OpenSUSE is going immutable, and we are all going to be forced to move to an immutable base distribution. This is not true. I just, I For anybody watching that is using OpenSUSE and is worried that you're not going to have a traditional distribution available when LEAP 15 ends development.

It's already been announced, there will still be a traditional distribution of LEAP, where you're still, you've got a full read write file system, you, it's just not going to happen. The other one that has come up repeatedly since the ALP announcement, which is primarily a corporate design decision, and doesn't, It doesn't, it doesn't affect OpenSUSA.

Tumbleweed is not going anywhere. I've seen repeated times, you know, is, is is, are Aon and Kalpa replacing Tumbleweed? No. We don't exist if Tumbleweed doesn't exist. Literally. I, because we're downstream of Tumbleweed. So You know, if I can get anything across, having appeared here, OpenSUSE, we're not perfect, we never have been, probably never will be, but your traditional distributions are not going away.

Nobody's talking about taking them away or sunsetting them. We're absolutely exploring immutability, atomic, whatever term you want to use. At some point, I think we probably need to come up with a better term for it. I believe, like I said, Neil brought up hysteresis, but that's, nobody knows what that hysteresis is.

But, you know, and we're not the only ones. Ubuntu is looking at immutable offerings. Vanilla OS is out there, which, I believe their model is similar to ours in that they're leveraging snapshotting. Like we do, I don't know, I don't recall if they're using ButterFS or not, but everybody is sort of looking at this, and I, regardless of which one you use, or don't use, an immutable system is not really taking away choice, it's just a different way of doing things.

You know, there, there's absolutely a way to remount the system route read write if you're insane and want to break things. Nobody's stopping you. It's

Jonathan: just not supported.

Shawn: But it does require a little bit of different thinking and I encourage anybody that's curious. Spinning up VMs on Linux now is so darn easy.

Download an immutable that you think is interesting. Toss it in a VM and play with it. See what it does. You know, it's a minimal investment to, you know, sort of investigate. Yeah.

Jonathan: Great. So I do want to ask you two final questions before we let you go. And that is, what is your favorite text editor and scripting language?

Where do you spend all

Shawn: day? Oh, well, that's easy. Vim, period. There's no other text

Jonathan: editors, what are you talking about? That is the text editor. You just used Vim because you fired it up one day and weren't able to get out and had to learn it, right?

Shawn: Yeah, I'm still stuck there. I never have figured out how to get out of it.

Jonathan: It's a

Shawn: scripting language. I fire up, I do a new install, fire up a new machine. It's still open to the same file I was in 15 years ago.

And I primarily do most of my scripting in Perl. Ah, there you go.

Jonathan: Oh, okay, cool. Randall Schwartz, I know you'll listen to this later. You got one. He's a Pearl fan. Alright.

Shawn: I have I've played a little bit with Python and some of the other ones. Pearl was the first one I learned and it does everything I need it to do, so I use that.

Yeah.

Jonathan: No, nothing wrong with that. All right, Sean, thank you so much for being here today, giving us a great overview of not just Kalpa, but the entire immutable desktop, particularly at OpenSUSE. Touched on a bunch of things. Thank you, sir. Appreciate it. Oh, thank you. Yeah, it's great. All right, Dan. Any thoughts?

Shawn: Yeah, I thought

Dan: it was great. Really interesting. Really interesting to hear from Sean about many different things. What he said towards the end there about you should try an immutable desktop, put it on a VM, see what it's like. I'm gonna, I'm gonna definitely do that and, and, and actually try and figure this thing out.

Because I haven't really used an immutable desktop. I don't know about yourself, but it is an interesting concept and it makes me want to try it

Jonathan: out. Yeah, I'm, I'm tempted to I'm tempted to grab Kalpa and put it on a VM just to, to play with it and see what it's like. I still kind of have this thought that it would drive me crazy, but I can, I can see it definitely being useful.

I don't know, maybe Maybe some of the things about it that would drive me crazy. We just need a little bit more time to bake for you know, your, your various docker and you know, your, your container support to get just a little bit better. You know, like he was, he was talking about the things like with Kate, there's, there's still these occasional problems people run into.

I know I have, I occasionally run into problems with things like trying to launch mumble which mumble, that's an entirely different. issue because that project just needs to get brought into the future. But anyway you know, some days, some days the containerized version of it will work. Some days the containerized version of it won't work and I have to go launch the RPM installed version of it to be able to get sound happening out of it.

There's still a few of these little problem points, but. It's getting better.

Dan: Yeah, it's an adventure. It's all an

Jonathan: adventure. Yes. Yeah but definitely something fun to play around with dan. You have anything you want to plug?

Dan: Not not specifically if you head to dan lynch. org, that's my website That's the place to look for all things i'm up to so keep keep an eye on

Jonathan: that dan lynch.

org awesome So, I will mention that next week we have, we have a really special guest, we also have a special co host, and we have a special time, so next week, February 28th, we are recording two hours earlier. Which means that I'm going to be even more brain scrambled, because I, I will have to be here earlier.

Our co host is going to be Elliot Williams, the managing h editor at Hackaday. And the topic is going to be the Raspberry Pi. We finally scored Eben Upton as a guest. So if Anyone out there that are rabid Raspberry Pi fans like I am, or if you're curious about the news about Raspberry Pi, maybe having an initial public offering, we'll certainly ask about that.

If you're interested in the Pi 500 that hopefully is coming, we're going to ask about that. All kinds of fun stuff. You don't want to miss that one coming up next week. And then the only other thing that I've got to plug is, well, two things I guess now. First off, The security column goes live on Hackaday every Friday morning.

Make sure and follow there for your weekly dose of security news. And then the Untitled Linux Show. There's been a change over at Twit. And the Untitled Linux Show, the audio is available to everybody. That's twit. tv slash uls is where you can find that. And if you want the video and if you want to be in the Discord, that of course is at clubtwit, which in my opinion, is worth the investment.

But anyway, make sure to follow those things as well. Thank you, Dan, so much for being here. Always a pleasure. Great to

Dan: be here. Thanks for having me.

Jonathan: Yeah. And Hey everybody. Thank you for listening. We will see you next week, two hours early on Floss Weekly.