Mythos Preview is better at finding real vulnerabilities than existing public models and, for now, only a few have access to it.

Not zero bugs, but it should help. A benefit for defenders is that they can use AI review on code before they make it public or release it in a stable release

Correct, that’s what I meant by calling it a lightweight sandbox that’s mainly used to isolate dependencies.

Though the cool thing about cold brew is that it’s simply a shell script. Not even a crazy long one at that. It would not be difficult to modify the bubblewrap flags to increase security.

Though filesystem isolation is not its goal, it’s meant to emulate that homebrew use which is unsandboxed.

That’s my gripe with Atomic distros. I feel like they don’t take the time to think things through and throw together. Instead, they throw together a new thing to address the shortcomings of the previous five things.

Love them or hate them, it feels like the only player sticking to their guns is Canonical with snap. It’s the only package manager that really does it all: GUI, CLI, IDEs, server, daemons, even the kernel and GRUB. Honestly, when the permission prompting is stable, I might be tempted to give it another chance.

Coldbrew kinda works like that. It uses bubblewrap and uses Alpine’s packages: https://gitlab.postmarketos.org/postmarketOS/coldbrew.

The unfortunate thing about snap is that of all options, it is the most capable. You get GUI, CLI, server, full filesystem access if needed (aka classic snaps). But Canonical really drags the project down and handicaps it with poor decisions.

• It’s pretty minimal out of the box (a bit like Arch). Unlike Fedora with SELinux or Ubuntu with AppArmor which come configured and enforcing out of the box.
• Nix is a programming language, and a complex one at that. There are plenty of ways to achieve the same goal. But as a novice or even intermediate user, it’s hard to know which is the best way. It also doesn’t help when you go with Way A and later want to do something else, but you find someone’s setup that uses Way B. Should I switch to Way B too? Or should I try to combine both ways into Way C?
• Flakes. First off, it’s annoying to have everyone say that NixOS is declarative and reproducible. Then you look into it a bit more and the story changes to “oh actually you need to enable this experimental feature to get better reproducibility”. But the part that actually annoys me is how everyone uses flakes and expects you to too, but it’s been an experimental feature forever and doesn’t seem any closer to becoming not-experimental.
• Linking issues. Say I install something like nvim with nix, then an nvim plugin wants to install something. That plugin isn’t aware of nix and tries to do things the Unix way, but that breaks. I know there are two solutions/workarounds to this problem; some packages are patched to avoid this and there’s something you can put in your configuration that “emulates” a more traditional environment that’s more compatible.
• I like sandboxing so I would use flatpak in NixOS. But there was some issue with fonts and icons I believe. I can’t remember if this PR fixed it or not: https://github.com/NixOS/nixpkgs/issues/119433
• Not the best UX out of the box. It’s common to find people with nix caches of hundred of gigabytes large because the system doesn’t automatically clean things up.

Brew installs both applications and their dependencies. When brew is added to the PATH, it also puts all those dependencies on your PATH.

For the most part, this does not cause issues. The OS usually uses absolute paths for binaries and dependencies. But for some programs, they will rely on PATH and may not be compatible with what brew provides.

Ideally, I think brew should fix this by only adding what you explicitly install to your PATH. When you launch it, it should launch a wrapper script that updates PATH with the homebrew dependencies. Though that wouldn’t exactly work for those who install a shell like zsh since then that would inherit the brew libraries anyway.

Or instead of changing PATH at all, use a fancy linking mechanism like Nix.

Universal Blue does some path tinkering to fix this, not sure how though. KDE Linux also has their own workaround, where they instead prioritize system dependencies over brews so that it’s brew that would break instead of the OS.

Little more info from KDE:

• https://invent.kde.org/kde-linux/kde-linux/-/merge_requests/408
• https://pointieststick.com/2026/03/14/this-month-in-kde-linux/

I’ve used NixOS, wasn’t that big of a fan. I certainly love the idea, but not the execution. Fedora Atomic just comes out of the box as a more complete, configured system that’s easier to understand.

I have been meaning to use Nix on Atomic, but the problem is that since / is immutable, Nix cannot create /nix and so doesn’t work properly. But there are workarounds for that issue, I just haven’t tried them yet.

Nix certainly fixes the PATH issues of homebrew since it has its unique linking system.

Not sure how I feel about this “distroless” pattern. It’s interesting to be able to get components directly from upstreams from like Gnome, but it makes certain tasks more difficult.

The lack of any distro packages to fall back on when flatpak, distrobox, appimages, and brew fails is simply annoying. I’ve experienced this multiple times.

• When I would flash OSes on my Pixel, I couldn’t use flatpak/distrobox/brew. I would either have to (1) overlay a browser and ADB tools, (2) overlay ADB and maybe use an Appimage browser, or (3) boot into a traditional distro like Debian that has an unrestricted browser. Distroless has no recourse for me here.
• Using sshfs: installing sshfs from brew or distrobox would not work without host configuration changes made by overlaying sshfs. Distroless has no distro package to fall back on
• Using tailscale: tailscale from brew didn’t work. Had to fall back on distro package. Distroless would fail me here, but in this case, I believe Jorge preinstalls it. So simply adopt all of Jorge’s tastes and applications and you’ll be fine…
• No upstream Steam support since there’s no rpmfusion or official valve package to use, you’d have to use something like the unoffical Steam flatpak

While I love Fedora Atomic and atomic distros in general, I constantly feel like they do not think things through. They made the system harder to break, but with severely limited (if you use them the way you’re encouraged to, like no layering). They then address these gaps one by one with more and more solutions that are imperfect and that do not fit all needs.

• Flatpak is good for GUI apps, but not CLI.
• Brew is good for CLI stuff, but does funky PATH things that could break host OS at times (and as mentioned, did not work for sshfs or tailscale for me). KDE Linux initially promoted Brew, but then later recommended not using it at all due to its PATH shenanigans
• Distrobox is good if you need distro packages, but the containerization has limitations with desktop integration and more complex tasks, like I mentioned with flashing OSes on my Pixel.

At least with Fedora Atomic (and containerfiles with bootc stuff), I can get a robust system, seamless OS upgrades, and install any packages that do not work well as flatpaks/distrobox/appimages.

I can understand MIT being an issue in some cases. For example, VSCode is a proprietary fork of the MIT open-source Code. If Microsoft wanted, they could stop publishing the MIT open source version. Of course that code would still exist as MIT, but development would slow down without Microsoft.

But I don’t see uutils being MIT as an issue. It’s primary goal is to be compatible with GNU coreutils. You can’t really rug pull a project with a goal like that. And permissively licensed utils have been around thanks to BSD and it’s never been an issue. You don’t see companies like Apple using proprietary forked versions as benefit. The “value” they add is higher up the tech stack with their own truly proprietary stuff or open stuff that encourages lock-in to its ecosystem, like Swift.

Snap as a technology is so interesting and more versatile than other formats. It’s just unfortunate that Canonical is in charge of the project, they’ve made some baffling decisions and continue to shoot themselves in the foot.