Immutable distributions are slowly spreading across the Linux world– but should you care? Are they hacker friendly? What does “immutable” mean, anyway?

Immutable means “not subject or susceptible to change” according to Merriam-Webster, which is not 100% accurate in this context, but it’s close enough and the name is there so we’re stuck with it. Immutable distributions are subject to change, it’s just that how you change them is quite a bit different than bog-standard Linux. Will this matter to you? Read on to find out! (Or, if you know the answers already, read on to find out how angry you should be in the comments section.)

Immutability is cloud-based thinking: the system has a known-good state, and it’s always in it. Everything that is not part of the core system is containerized and controlled. I’m writing this from a KDE-based distribution called Aurora, part of the Universal Blue project that builds on Fedora’s Atomic Desktop work. It bills itself as being for “lazy developers”.

The advantage to this hypothetical lazy dev is that the base system is already built, and you can’t get distracted messing around with it. It works, and it isn’t at all likely to break. Every installation is essentially identical to every other installation, which means reproducibility is all but guaranteed. No more faffing about arguing on forums to figure out which library is conflicting with which. In an immutable system, they’ve all been selected to play well together, and anything else is safely containerized. (Again, a cloud ideal.) If the devs make a mistake during an update, well, just roll back!

50 Shades of Immunability

The different flavours of immutable linux differ in how they accomplish that, but all have rollbacks as a basic capability. Each change to the system becomes a new, indivisible image; that’s why we talk about atomic updates. You create a new system image when you update, but you don’t start using it until you reboot the system. (This has some advantages to stability, as you might imagine, although the rebooting can get old.) The old image is maintained on your system, just in case you happen to need it.

MicroOS and its descendants (like Aeon) use a system based on BRTFS snapshots to provide rollbacks. Fedora’s atomic desktops, like Silverblue, and the Universal Blue downstreams that are based on Fedora like Bazzite or Aurora use a system called OSTree, which is considerably more complex and more interesting. You can do something similar with Nix, of course, but that is a whole other kettle of fish.

OSTree bills itself as “Git for operating system binaries”. Every update, or every package installed is layered onto the tree and can be rolled back if needed– en masse, or individually. You can package up that tree of commits, and deploy it onto a new system, making devising new “distros” so trivial they don’t really deserve the name. In theory, you can install everything via OSTree, but the further you take your system from the base image, the less you have that “every system is identical” easy-problem-solving that the immutable guys like to talk about.

Of course you do want to install applications, and you do it the same way you might on a server: in containers. What sort of containers can vary by taste, but typically that means Flatpak for GUI applications. Fedora-based immutable distributions like Silverblue or Aurora use Flatpak, as does OpenSuse. (AppImage and snap are also options, technically speaking, but who likes snaps?) The Universal Blue team adds in Homebrew for those terminal applications that don’t tend to get Flatpaks. I admit that I was surprised at first to see Homebrew when I started using Aurora, since I knew it as “the missing package manager for MacOS” but its inclusion makes perfect sense when you think about it.

MacOS is the First Immutable UNIX

MacOS, you see, is the first immutable UNIX. As much as we in the Linux community don’t like to talk about it, Macs aren’t just POSIX compatible– they run Certified UNIX(). And Curputino has been moving towards this “immutable” thing for a long time, until Catalina finally sealed the system folders away completely on a read-only volume. Updates for MacOS also come as snapshots to replace that system volume– you could certainly call them “atomic”. Since the system volume is locked down, traditional package managers won’t be able operate. Homebrew was created to solve that problem. It works just as well on a Linux system that has the same lockdown applied to its system folders.

If Homebrew isn’t your cup of tea – and it seems to not be everyone’s, since I think Universal Blue is the only distro set to ship with it – you can go more hard-core into containerization with docker or podman. Somewhere in between, you could use something like Distrobox. If you haven’t heard of it, Distrobox is a framework for deploying traditional linux systems inside containers. For devs, it’s great for testing, even if you aren’t basing it on top of an immutable distribution. If you’ve never worked in the cloud, this may all sound like rube-goldberg gobbbly-gook, (“linux in a box on my linux!?”) but once you adapt to it, it’s not so bad.

The Year of Immutable on the Desktop?

The question is: do you want to adapt to it? Is cloud-based thinking necessary on the desktop? Well I’d say it depends on who is using the desktop. I would absolutely steer Windows users who are thinking of switching to Linux in the wake of the Windows 10 EOL to a Universal Blue distribution, and probably Aurora since KDE is more windows-y than Gnome. Most of those ex-Windows users are people who just want to use a computer, not play with it. If that describes you, then maybe an immutable distribution could be to your liking.

MacOS has shown that very few desktop users will ever notice if they can access the system folders or not; they are most interested in having a stable, reproducible environment to work in. Thus, immutable Linux may be the way to bring Linux mainstream – certainly Steam thinks so, with SteamOS. For their use case, it’s hard to argue the benefits: you need a stable base system for the stack of cards that is gaming on Linux, and tech support is much simplified for a locked-down operating system that you cannot install packages on. The rising popularity of Bazzite, Universal Blue’s gaming-centric distribution, also speaks to this.

There are downsides to this kind of system, of course, and it is important to recognize that. Some people really, really hate containerization because Flatpaks, and other similar options, use more memory, both on disk and in RAM. Of course not everything is available as a Flatpak, or on Homebrew if the system uses that. If you want to use Toolbox or Distrobox to get a distro-specific set of packages, well, of course running a whole extra Linux system in a container is going to have overhead.

From an aesthetic perspective, it’s not as elegant as a traditional Linux environment, at least to some eyes, mine included. Those of us who switched to Linux because we wanted absolute control over our computers might not feel too great about the “do not touch” label implicitly scrawled across the system folders, even if we do get something like rpm-ostree to make changes with. Even with a package manager, there are customizations and tweaks you simply cannot make on a read-only system. For those of us who treat Linux as a hobby, that’s probably a no-go.

For the “Lazy Developer” Aurora sells itself to, well, that’s perhaps a different story. Speaking of lazy, I’ve been using Aurora for a few months now, almost in spite of myself. I initially loaded it as the last step on a distro-hopping jaunt to see if I could find a good Windows 10 replacement for my parents. (I think this is it, to be honest.) It’s still on my main laptop simply because it’s so unobtrusively out of the way that I can think of no reason to install anything else.

At some point that may change, and when it does I might just overcorrect and do a Linux From Scratch build or try out like NixOS like I’ve been meaning to. Something like that would let me regain the sense of agency I have forfeited to the Universal Blue dev team while running Aurora. (There have been times where I can feel the ghostly hand of an imaginary sysadmin urging me not to mess with my own system.)

After seeing how well containerization can work on desktop, Nix looks extra appealing – it can do most of what this article talks about with the immutable distros, but without trusting configuration of any facet of the system to anyone else. What do you think? Are the touted benefits to stability, reproducibility, and security worth the hassle of an immutable distribution? Is the grass greener in the land of Nix? If you’ve tried one of the immutable Linux distributions out there, we’d love to hear what you think in the comments.

hackaday.com/2025/07/10/person…

While we know that many of you are reading Hackaday via our Really Simple Syndication (RSS) feed, we suspect that most people on the street wouldn’t know that it underlies a lot of the modern internet. [A. McNamee] and [A. Service] have created an illustrated history of RSS that proudly proclaims RSS is (not) dead (yet)!

While tens of millions of users used Google Reader before it was shut down, social media and search companies have tried to squeeze independent blogs and websites for an increasingly large part of their revenue, making it more and more difficult to exist outside the walled gardens of Facebook, Apple, Google, etc. Despite those of you that remember, RSS has been mostly forgotten.

RSS has been the backbone of the podcast industry, however, quietly serving feeds to millions of users everywhere with few of them aware that an open protocol from the 90s was serving up their content. As with every other corner of the internet where money could be made, corporate raiders have come to scoop up creators and skim the profits for themselves. Spotify has been the most egregious actor here, but the usual suspects of Apple, Google, and Amazon are also making plays to enclose the podcast commons.

If you’d like to learn more about how big tech is sucking the life out of the internet (and possibly how to reverse the enshittification) check out Cory Doctorow’s keynote from our very own Supercon.

hackaday.com/2025/07/10/long-l…

We love 3D printing. We’ll print brackets, brackets for brackets, and brackets to hold other brackets in place. Perhaps even a guilty-pleasure Benchy. But 3D printed shoes? That’s where we start to have questions.

Every few months, someone announces a new line of 3D-printed footwear. Do you really want your next pair of sneakers to come out of a nozzle? Most of the shoes are either limited editions or fail to become very popular.

First World Problem

You might be thinking, “Really? Is this a problem that 3D printing is uniquely situated to solve?” You might assume that this is just some funny designs on some of the 3D model download sites. But no. Adidas, Nike, and Puma have shoes that are at least partially 3D printed. We have to ask why.

We are pretty happy with our shoes just the way that they are. But we will admit, if you insist on getting a perfect fitting shoe, maybe having a scan of your foot and a custom or semi-custom shoe printed is a good idea. Zellerfield lets you scan your feet with your phone, for example. [Stefan] at CNC Kitchen had a look at those in a recent video. The company is also in many partnerships, so when you hear that Hugo Boss, Mallet London, and Sean Watherspoon have a 3D-printed shoe, it might actually be their design from Zellerfield.

youtube.com/embed/4id0-vvu-u0?…

Or, try a Vivobiome sandal. We aren’t sold on the idea that we can’t buy shoes off the rack, but custom fits might make a little sense. We aren’t sure about 3D-printed bras, though.

Maybe the appeal of 3D-printed shoes lies in their personalizability? Creating self-printed shoes might make sense, so you can change their appearance or otherwise customize them. Maybe you’d experiment with different materials, colors, or subtle changes in designs. Nothing like 30 hours of printing and three filament changes to make one shoe. And that doesn’t explain why the majors are doing it.

Think of the Environment!

There is one possible plus to printing shoes. According to industry sources, more than 20 billion pairs of shoes are made every year, and almost all will end up in landfills. Up to 20% of these shoes will go straight to the dump without being worn even once.

So maybe you could argue that making shoes on demand would help reduce waste. We know of some shoe companies that offer you a discount if you send in an old pair for recycling, although we don’t know if they use them to make new shoes or not. Your tolerance for how much you are willing to pay might correlate to how much of a problem you think trash shoes really are.

But mass-market 3D-printed shoes? What’s the appeal? If you’re desperate for status, consider grabbing a pair of 3D-printed Gucci shoes for around $1,300. But for most of us, are you planning on dropping a few bucks on a pair of 3D-printed shoes? Why or why not? Let us know in the comments.

If you are imagining the big guys printing shoes on an Ender 3, that’s probably not the case. The shoes we’ve seen are made on big commercial printers.

hackaday.com/2025/07/10/ask-ha…

ChatGPT si è rivelato ancora una volta vulnerabile a manipolazioni non convenzionali: questa volta ha emesso chiavi di prodotto Windows valide, tra cui una registrata a nome della grande banca Wells Fargo. La vulnerabilità è stata scoperta durante una sorta di provocazione intellettuale: uno specialista ha suggerito che il modello linguistico giocasse a indovinelli, trasformando la situazione in un aggiramento delle restrizioni di sicurezza.

L’essenza della vulnerabilità consisteva in un semplice ma efficace bypass della logica del sistema di protezione. A ChatGPT 4.0 è stato offerto di partecipare a un gioco in cui doveva indovinare una stringa, con la precisazione che doveva trattarsi di un vero numero di serie di Windows 10.

Le condizioni stabilivano che il modello dovesse rispondere alle ipotesi solo con “sì” o “no” e, nel caso della frase “Mi arrendo”, aprire la stringa indovinata. Il modello ha accettato il gioco e, seguendo la logica integrata, dopo la frase chiave ha effettivamente restituito una stringa corrispondente alla chiave di licenza di Windows.

L’autore dello studio ha osservato che la principale debolezza in questo caso risiede nel modo in cui il modello percepisce il contesto dell’interazione. Il concetto di “gioco” ha temporaneamente superato i filtri e le restrizioni integrati, poiché il modello ha accettato le condizioni come uno scenario accettabile.

Le chiavi esposte includevano non solo chiavi predefinite disponibili al pubblico, ma anche licenze aziendali, tra cui almeno una registrata a Wells Fargo. Ciò è stato possibile perché avrebbe potuto causare la fuga di informazioni sensibili che avrebbero potuto finire nel set di addestramento del modello. In precedenza, si sono verificati casi di informazioni interne, incluse le chiavi API, esposte pubblicamente, ad esempio tramite GitHub, e di addestramento accidentale di un’IA.

Screenshot di una conversazione con ChatGPT (Marco Figueroa)

Il secondo trucco utilizzato per aggirare i filtri era l’uso di tag HTML . Il numero di serie originale veniva “impacchettato” all’interno di tag invisibili, consentendo al modello di aggirare il filtro basato sulle parole chiave. In combinazione con il contesto di gioco, questo metodo funzionava come un vero e proprio meccanismo di hacking, consentendo l’accesso a dati che normalmente sarebbero stati bloccati.

La situazione evidenzia un problema fondamentale nei modelli linguistici moderni: nonostante gli sforzi per creare barriere protettive (chiamati guardrail), il contesto e la forma della richiesta consentono ancora di aggirare il filtro. Per evitare simili incidenti in futuro, gli esperti suggeriscono di rafforzare la consapevolezza contestuale e di introdurre la convalida multilivello delle richieste.

L’autore sottolinea che la vulnerabilità può essere sfruttata non solo per ottenere chiavi, ma anche per aggirare i filtri che proteggono da contenuti indesiderati, da materiale per adulti a URL dannosi e dati personali. Ciò significa che i metodi di protezione non dovrebbero solo diventare più rigorosi, ma anche molto più flessibili e proattivi.

L'articolo Hai bisogno di una Product Key per Microsoft Windows? Nessun problema, chiedilo a Chat-GPT proviene da il blog della sicurezza informatica.

What has the EDRis network been up to over the past two weeks? Find out the latest digital rights news in our bi-weekly newsletter. In this edition: European Commission must champion the AI Act, EDRi pushes back against risky GDPR deregulation, & more!

The post EDRi-gram, 10 July 2025 appeared first on European Digital Rights (EDRi).

New research by Bits of Freedom investigated social media platforms Facebook, Snapchat and TikTok, and e-commerce platforms Shein, Zalando and Booking.com for their use of manipulative design. The worrying findings indicate that these platforms continue to nfluence the choices of users to their detriment despite being prohibited by laws.

The post New research shows online platforms use manipulative design to influence users towards harmful choices appeared first on European Digital Rights (EDRi).

After years of debate, the GDPR Procedural Regulation has been finalised. Despite some improvements, the final text may entrench old problems and create new ones, undermining people’s rights and potentially opening the door to weakening the GDPR itself.

The post A missed opportunity for enforcement: what the final GDPR Procedural Regulation could cost us appeared first on European Digital Rights (EDRi).

Il primo e più bel concerto della mia vita.

Siamo arrivati a S. Siro alle 15:00, io e un mio amico, a bordo della mia Guzzi V 35 II.

Quando hanno aperto i cancelli siamo corsi sotto al palco poi man mano che il tempo passava ci siamo spostati sempre più indietro in cerca di ombra e abbiamo visto il concerto dalle gradinate di S. Siro.

Casino Royale, poi i Ladri di biciclette e poi lui, Vasco.

Finale indimenticabile, Albachiara, gli accendini accesi, S. Siro è diventato un braciere.

Poi l'organizzazione ha fatto arrivare alle prime file dei dischi di stoffa tipo frisbee, centinaia, la gente ha cominciato a tirarli e lo stadio si è riempito di dischi volanti.

#vasco #SanSiro

I #Carabinieri del #ROS (Raggruppamento Operativo speciale) – col supporto in fase esecutiva dei Comandi provinciali dell’Arma territorialmente competenti e dello Squadrone Eliportato Cacciatori "Calabria” – hanno eseguito nelle aree di Roma, Reggio Calabria, Catanzaro, Cosenza, L’Aquila, Latina e Pistoia una misura cautelare in carcere emessa dal G.I.P. del Tribunale capitolino, su richiesta della Procura Distrettuale.

Interessati 28 indagati italiani e albanesi, gravemente indiziati di aver preso parte ad un’associazione criminale di matrice ‘ndranghetista, con base a Roma ed operante nell’intero territorio nazionale.

Il provvedimento si basa sugli elementi acquisiti dal ROS, nell’ambito di indagini dirette dalla Procura della Repubblica – DDA – presso il Tribunale di Roma, su un 57 enne calabrese, già precedentemente condannato in via definitiva per la violazione dell’art. 416 bis Codice Penale, quando fu ritenuto elemento apicale della "locale dii 'ndrangheta" di Volpiano (Torino), promanazione di quella di Platì (Reggio Calabria).

L’uomo, trasferitosi a Roma agli inizi degli anni 2000, aveva assunto il controllo del quartiere capitolino di San Basilio, promuovendo la nascita di un’associazione composta, tra gli altri, anche dai tre figli, con legami stabili con una paritetica struttura criminale albanese, utilizzata per gli aspetti logistici (estrazione dei carichi dai porti spagnoli e olandesi nonché per il successivo trasporto) e per lo smercio del narcotico in altre zone della Capitale.

La cocaina veniva acquisita in Sud America e fatta giungere, tramite container in alcuni porti della Spagna, a Rotterdam (Olanda) e a quello di Gioia Tauro (Reggio Calabria), anche sfruttando l’interazione con altri broker calabresi, per poi giungere sul mercato romano dove veniva smerciata al dettaglio.

Nel complesso sono stati contestati agli indagati 80 capi di imputazione per operazioni di traffico per oltre 1 tonnellata di cocaina e per 1.497 chili di hashish, nonché un episodio di tortura aggravata dal metodo mafioso, contestato a 4 indagati italiani, gravemente indiziati di avere privato della libertà personale uno spacciatore, cagionandogli sofferenze fisiche e un trauma psichico. Le torture inferte, secondo l’accusa, sono state riprese con un telefonino, per diffonderne successivamente il video al fine di generare nella vittima e nei soggetti dediti alle attività di smercio di sostanze stupefacente in zona San Basilio, sentimenti di paura, omertà e assoggettamento al volere del gruppo criminale.

Il complesso scenario emergente dall’attività investigativa ha consentito di accertare l’impiego sistematico da parte degli indagati di sofisticati sistemi criptofonici utilizzati per le comunicazioni operative e per eludere le attività di controllo. Tali dispositivi venivano approvvigionati attraverso una vera e propria centrale di smistamento, individuata a Roma e facente capo ad un 46enne albanese colpito anch’egli dalla misura cautelare per aver concorso nell’associazione.

L’attività investigativa – grazie alla estesa cooperazione internazionale avviata – ha consentito di localizzare in Spagna 5 latitanti per reati materia di stupefacenti il cui arresto, su indicazione del ROS, è stato eseguito dalle autorità di polizia locali.

Complessivamente, l’attività investigativa, conclusa con l’emissione di 28 provvedimenti cautelari detentivi, 6 interrogatori preventivi, l’arresto in flagranza di reato di 11 soggetti, nonché, all’estero, di 5 latitanti ed il sequestro di ingenti quantitativi di stupefacente (per lo più cocaina ed hashish), ha confermato:

- L’infiltrazione del territorio romano di organizzazioni, dedite al narcotraffico, di matrice ‘ndranghetista
- L’alleanza, ormai strutturale, nello specifico settore, tra la ‘ndrangheta e paritetiche organizzazioni criminali albanesi che, forti della loro ramificazione in molti paesi europei e non solo, garantiscono canali alternativi di approvvigionamento e, soprattutto, la possibilità di utilizzare porti stranieri, ove esercitano il loro controllo, per diversificare le narco-rotte
- La centralità del Porto di Gioia Tauro per le importazioni di cocaina
- L’esistenza di accordi/regole che consentono a organizzazioni di diversa matrice di spartirsi le più redditizie aree di smercio del narcotico nella Capitale
- L’utilizzo sistemico di strumenti tecnologici evoluti e non direttamente intercettabili, per le comunicazioni operative.

Le attività investigative, dirette dalla Procura della Repubblica – Direzione Distrettuale Antimafia di Roma, sono state condotte in cooperazione internazionale con diverse Polizie estere e sono state supportate dalla Direzione Centrale per i Servizi Antidroga (#DCSA), dal Servizio di Cooperazione Internazionale di Polizia (#SCIP), da #Interpol- Progetto I-CAN (#ICAN), dalla rete @net (#onnet) della #DIA, nonché dalle Agenzie #Europol e #Eurojust.

@Notizie dall'Italia e dal mondo