I planned to add calamares to NixOS… sometime: NixOS Calamares installer · Issue #100475 · NixOS/nixpkgs · GitHub … along with 100 other things I want to do.
If you do make a calamares installer, please upstream it to the main NixOS repo. It would fit very well with the graphical installer.
In any case, if we measure success by the number of forks, Debian is the king. And we should encourage more NixOS forks 
I don’t think there’s as much of a precedent to do forks. A lot of forks for most distros are, “like our parent distro, but we come with X installed by default”. For example, Xubuntu. Since NixOS is so compose-able, we don’t really need to do the forking model to provide a Gnome, or Plasma, or Cinnamon experience; that’s just part of NixOS.
Having a curated overlay for a specific domain I think would make sense. For example, we could have a “ScieNixOS” fork, which provides a curated overlay prioritizing science and Machine Learning packages. So we could have tensorflow_1 and tensorflow_2 working by default, etc. And perhaps provide more versions of libraries for people to pick and choose from.
Yes, perhaps I used the wrong wording, I think an overlay would be ideal here. It still might be consider a fork due to different organization distributing installer ISOs.
more hydra’s and builds farms can’t be a bad thing!
is quite interesting for intel based architectures… lots of things are compiled with optimisations for intel specific CPU’s and extra optimisation patches.
Might be an interest piece of research to find out what their secret ‘source’ is, and see if some of those optimisation and patches can be ported in someway. A fork might be a great place to try these optimised builds out.
There’s a bit more about that idea here: Adopt "clear linux" patches? · Issue #63708 · NixOS/nixpkgs · GitHub (but maybe OT for this exact thread? just wanted to mention it.)
If I could spend more and more time to the NixOS project, I would make a tool to easily compare packages downloaded from some sites and built locally and publish some sort of reputation of package (“XYX seems now reproducible, finally! (+1)”) and/or the cache sites (“ABC provided by cache.nix-is-awasome.example and one built by myself were not identical while the local build and one from cache.nixos.org matches… (-1)”).
Guided installer is desired of course, as commented by someone above.
User experience things asides, reducing the seed binaries required to bootstrap NixOS (like GNU Guix) is what I would like to see in the future. Also, improvement of reproducibility even if upstream project did something undesired would be helpful, as I don’t want to see certain errors on my daily-use computers.
Security hardening, like AppArmor, stackable LSMs, audit subsystem, applying systemd sandbox to more services and so on, is truly needed for not only servers but also desktop PCs, as most of us (are forced to) run untrusted third-party programs downloaded silently on our computers via web browsers every day.
(By the way, Cirno is already the unofficial mascot character of 9front, a fork of the Plan 9 operating system 
)
Hi!
Nice of you to discuss here. And good ideas!
It would be impolite for anyone to tell you what you do with your time but I feel that the nix ecosystem is confusing as it is for beginners and adding a new “fork” would just add to it.
Might i suggest you use nix-community as your org? This way you will also have access to zimbatm’s generously provided compute resources.
That said, it’s specially important to remember what kind of community one wants to build. (Sorry no way to put this nicely …) I just hope you don’t market your thing like Manjaro. Or , god forbid, Rust. Once there is enough population of novelty hunters they take over the community and the only content you see on their forums is either self congratulatory or comparison with others.
I often see the conversation coming to the installer but:
no one ever mentions what exactly the pain points are and how the curses version of parted + nmcli cannot fix it mostly.
how someone who isn’t comfortable with the command line or cannot navigate linux without a step-by-step program (wizard) expects to be able to use nix, and more importantly, benefit from it.
Also,I believe the logo is the property of NixOS foundation and they are ethically obligated to disallow the use of lookalikes so that users don’t unknowingly use something that is not at par with their standards.
Thanks again for the discussion, you seem to have well fleshed out ideas, and I hope to use them in Nix pkgs mainline eventually …
Security hardening, like AppArmor, stackable LSMs, audit subsystem, applying systemd sandbox to more services and so on, is truly needed for not only servers but also desktop PCs, as most of us (are forced to) run untrusted third-party programs downloaded silently on our computers via web browsers every day.
To be fair, you list a lot of things which are more about services, and what you need for your stated (well-founded) complaint is multiple browser instances (to reduce cross-contamination across sensitivity contexts) in roughly speaking firejail…
(Which is definitely a good idea, I run like that — although of course it is also a good idea to grab plain HTML and read via something… simpler… wherever possible, which is a much larger fraction of Web than some spyware-Javascript-mongers would prefer you to believe)
You are definitely correct. I had thought about something like browser sandbox escape, but actually in-browser secrets were low-hanging yet potentially higher-priced fruits. I am sorry for confusing claims.
Browser sandbox escapes, cross-context in-browser leaks, and just tricking the user to pick a wrong file to upload are all possible and all bad. And the measures you list could be useful on top of a proper sandboxed-instance-separation anyway, surely nothing to be sorry about having said.
I wonder if firejail or something similar (together with xdg-portal?) could be indeed polished to the level of «clearly better than anything else what an unprepared user can handle otherwise»…
They’ve replaced Glenda?! I realise it’s a fork, but still, I’m shocked.
the trick to making something secure is to add so many security mechanisms, protections and layers, that it renders the machine unusable and unmaintainable due to complexity. If the machine is unusable to humans and cannot be repaired, no keys are likely to be generated or indeed leaked… the system will be so broken no unauthenticated code will run, however this does have the slight side effect that no other code will run either… This is called a non-functional secure system…and it’s 100% secure.
http://fqa.9front.org/fqa1.html#1.1.1
Please keep in mind that this is an unofficial Frequently Questioned Answers page.
And our goal is a purely functional secure system that is 100% (referentially) transparent, right?
nix/OS is a build system, your still building something else, using the build system of the projects that needs to ‘put software together’. Your kinda at the mercy of how other languages build software and manage their dependencies and configuration. Thats even before you have the software running.
I’m always fear full not to drink too much docker koolaid or in fact nix/OS koolaid (however nix/OS does taste a little better) , in the weeds things can get hairy… and the devil is in the details sometimes. Yes, i’m talking about the murky depths of the dynamic linker and all that other ‘stuff’ end users don’t see, or seldom care about.and the dreaded ‘it works on my machine syndrome’.
I’d rather have 1000 people looking/refactoring/debugging and fortifying code… than 1000 security ‘band aids’, place on the top of a OS. Refactoring the OS it something which rethinks security architecture is the right way to go (and have a level of backward compatibility)… the is why
spectrum os shows such promise.
The classic buy ‘skin’ not ‘tin’…
I’d rather have 1000 people looking/refactoring/debugging and fortifying code… than 1000 security ‘band aids’, place on the top of a OS.
Debugging lasts until the next upstream bump, band aids last longer actually…
Making sure they are actually layers and not too intertwined is useful, of course
Refactoring the OS it something which rethinks security architecture is the right way to go (and have a level of backward compatibility)… the is why
spectrum os shows such promise.
NS-based jails pose quite a bit fewer tricky things, and so might be applicable more generally and with less user tuning than truly proper VM-based approach.
Yeah, as someone said, mitigation is another attack surface, and designing a clean and robust architecture is desired.
Getting back to the original topic, installing a system is not the only concern but also maintaining it be. How can we present useful concepts like generations, switching/rollbacking profiles, configurations, overrides and such, in a bit more user-friendly way? This is as important as Calamares (or anything similar) IHMO.
That’s a difficult one. It’s not simple… to understand how nix/OS differs from unix, then you have to have a good knowledge on how unix works.
I think it’s probably easier to understand how nix/OS works if you’ve never every used a unix or linux system before…believe it or not. You just have to unwired what you’ve learnt.
I’ve been working on some interactive nix tutorials, that basically give you a fresh a nix/OS systems and scenarios that give the users a bit of practise and guidance along the way.
Nix/OS is user friendly, as as they say with unix, unix is user friendly, it’s just very particular about who it’s friends are… I guess you have to very friendly with Unix (as a developer) before Nix/OS will even talk to you. Very tricky…
I’m quite tempted to setup something like nixcon, but a week long ‘nix/OS crash course’, where students(victims) can come for a whole week, a bit like a bootcamp, but…nixcamp… ;-)… Lets hope that’s possible one day.
Sometimes you just can’t beat real world , face 2 face training… over any youtube video or ‘extensive’ manual.
Not directed at anyone in particular but let’s keep the thread on topic. What needs to happen to make a user-friendly version of NixOS?
@cirno on thing you can do is create a IRC channel so that interested parties can join.
One advantage of a fork is that less technical users could interact over there. I remember, from a previous discussion, that one concern on improving the install experience was to get too much noise in the community.
@cirno: do you have a transparent version of the nixos-cirno logo? Asking for desktop wallpaper reasons, for a friend of course. 
