Big Distro

A plea for Debian, Fedora, openSUSE & Ubuntu

I like to read GNU/Linux hobbyist forums from time to time. Partially to keep up with all the changes that are constantly happening within the lovely world of Free Software, but mostly because I’m just very excited about GNU/Linux. It is quite possibly the world’s biggest international collaborative effort, and that’s just mind-bogglingly cool—the idea that people from all over the world come together to make this amazing tool for everyone to freely use. And it works! Most of the time, anyway.

There is one thing that bothers me about the hobbyist forums, however, and that is:

btw i use arch

The prevalence of Arch Linux. Now I don’t actually intensely dislike Arch Linux, and this post isn’t “Ten Reasons Arch Linux Sucks”. It’s a fine distribution that gets a lot of things right for the hobbyist crowd, and I am sure that it is a technologically sound distribution. This post isn’t even about Arch Linux specifically—it is about the host of distributions with which Arch shares a lot of attention in the popularity contest. There is no immediate pattern that binds these distributions, but among them are Manjaro, Linux Mint, elementary OS, Solus, Zorin OS, Pop!_OS, NixOS, et cetera.

The crux is that I am a little sad that these distributions win out in the popularity contest. Generally speaking, these distributions serve very specific niches: A rolling release distribution model, a focus on a certain desktop environment, an experimental package manager, or some combination thereof. These distributions distinguish themselves very clearly, but it is my opinion that the best distribution distinguishes itself not in any single category, but in its general purposeness.

Or rather, that is a half-lie. General purposeness is a direct consequence of the main trait I seek in a distribution: Size. I am talking Big Distro. This is a plea for Debian, Fedora, openSUSE, and Ubuntu.

Size and general purposeness

When I talk about size, I’m not concerned about the amount of disk space the default disk image takes up. Rather, I’m honing in on a vague metric at the intersection of market share, project size, and the amount of packages. There is something that sets Debian, Fedora, and to a slightly lesser extent openSUSE and Ubuntu apart from all the other distributions—the sheer scope of these projects.

These projects are absolutely massive with hundreds of active contributors each. And the contributions aren’t just limited to packaging; the projects have people working on internationalisation, infrastructure, support, new software development, quality assurance, outreach, documentation, design, accessibility, security, and the awe-inspiring task of coordinating all of this work.

As a result of collaboration at this massive scope, these distributions have an unmatched general purposeness. Just about anything you might want to do, you can do with these distributions, and you can be fairly certain that it’s supported.

Contrast this with other distributions, and you’ll find that they have much smaller teams supporting them. Arch Linux actually stands out here in having a sizeable contributor base, but Solus has only a handful of people actively working on it. Mind, this isn’t necessarily indicative of quality, but certainly of scope.

But why does scope matter? Surely Solus is simply just good at what it does, which is providing a high-quality Budgie desktop, and doesn’t need to do anything else.

Security

The best example of scope being important is security. You simply need people working full-time on security if you’re creating a distribution that you expect people to use for their privacy-sensitive computing. Certainly if I’m relying on an operating system, I get some peace of mind in knowing that there is a team of people that is actively trying to make sure that the whole thing is and stays secure.

Security is a daunting task, because security flaws can creep in anywhere. It isn’t sufficient to simply use the latest version of all software and rely on upstream to get things right, because security flaws can be introduced by the way that distribution makers configure, combine, or distribute the software.

Although I don’t intend to name-and-shame in this article, I think that the smaller distributions do a generally less-than-stellar job in the security department. Especially noteworthy is Linux Mint containing malware for a while because their website had been compromised. The linked LWN article is worth a read, and echoes some of the sentiments I am writing here:

The Linux Mint developers have taken a certain amount of grief for this episode, and for their approach to security in general. They do not bother with security advisories, so their users have no way to know if they are affected by any specific vulnerability or whether Linux Mint has made a fixed package available. Putting the web site back online without having fully secured it mirrors a less-than-thorough approach to security in general. These are charges that anybody considering using Linux Mint should think hard about. Putting somebody’s software onto your system places the source in a position of great trust; one has to hope that they are able to live up to that trust.

It could be argued that we are approaching the end of the era of amateur distributions. Taking an existing distribution, replacing the artwork, adding some special new packages, and creating a web site is a fair amount of work. Making a truly cohesive product out of that distribution and keeping the whole thing secure is quite a bit more work. It’s not that hard to believe that only the largest and best-funded projects will be able to sustain that effort over time, especially when faced with an increasingly hostile and criminal net.

Though, in the spirit of fairness, it goes on to add:

There is just one little problem with that view: it’s not entirely clear that the larger, better-funded distributions are truly doing a better job with security. It probably is true that they are better able to defend their infrastructure against attacks, have hardware security modules to sign their packages, etc. But a distribution is a large collection of software, and few distributors can be said to be doing a good job of keeping all of that software secure.

Linux Mint is not the only distribution that has struggled with security. Manjaro let their SSL certificate expire not once, but twice, and suggested some questionable workarounds. Frustratingly, these two distributions are often recommended to beginners and laypeople.

Accessibility

Accessibility is important, and a lot of smaller distributions fail immensely on this front. Arch Linux is nearly impossible to use if you are technologically disinclined or have a disability that makes using a TTY terminal difficult. Strangely, some people see this as a strength of Arch Linux. I disagree firmly with this. At best, Arch Linux sacrifices accessibility to enhance or enable some of their niche goals. Its developers might justify this choice because non-technical and disabled people simply aren’t their target audience.

But accessibility is important, and GNOME is the only desktop environment I can think of that takes accessibility absolutely seriously, followed by KDE Plasma. Incidentally, GNOME is the default desktop environment of three of the four Big Distros, and openSUSE ships both GNOME and KDE Plasma in their installation image.

Everything else is important, too

The other aspects of scope are a little difficult to individually highlight, but I think they are all important in a project. For example, both openSUSE and Fedora use openQA to test their distributions as a cohesive whole. This completely automated suite runs hundreds of tests, and catches bugs before humans do. At the risk of saying the obvious, quality assurance makes a distribution better, and bigger distributions have more resources to do good quality assurance.

And at the risk of repeating the obvious, X makes a distribution better, and bigger distributions have more resources to do X. Substitute X with internationalisation, infrastructure, support, outreach, documentation, design, accessibility, and so forth.

In conclusion to an earlier question: Solus is good at what it does, which is providing a high-quality Budgie desktop, but it would be a lot better if it had the resources to do everything else as well.

But it doesn’t. And unless it grows to join the list of Big Distros, it won’t.

But I’m not personally affected

An obvious retort would be that—barring perhaps security—none of that matters, because I’m happy with my favourite niche distribution! And there is little that can be said in response to that individually. If you’re happy with a distribution, then keep doing what you’re doing, and don’t pay too much attention to an opinion-haver on the internet.

But I don’t think that that retort is sufficient. You see, I want Free Software to actually succeed. I want to live in a world where Free Software has won. And towards that end, I don’t think the smaller distributions are sufficient at all. A lot of work goes into creating a cohesive, all-encompassing distribution for the masses, and the likes of Linux Mint aren’t up to that task.

It’s the difference between “what would happen if I installed Linux Mint on my grandmother’s computer?” and “what would happen if I installed Linux Mint on the computer of millions of laypeople?". Grandma is probably going to be just fine individually, but the masses are seriously underserved by an understaffed distribution.

I see GNU/Linux as the public technological infrastructure of the future. And towards that end, I think we can do better than fractured, tiny distributions that serve hyper-specific niches.


Footnote: Linux Mint is a derivative distribution

Because Linux Mint is 99% identical to Ubuntu owing to its derivative status, one might argue that it benefits both from the scope and size of the Ubuntu project as well as the additional expertise that goes into it. That would make a lot of the above arguments null and void, because you’re basically using Ubuntu.

I want to argue instead that Linux Mint loses a lot of the benefits of the scope of Ubuntu. Linux Mint has to duplicate a lot of the effort that goes into Ubuntu. It obviously needs its own infrastructure, translations, design, and so forth. But it also needs its own quality assurance and security team. By introducing small changes to the cohesive whole, Linux Mint introduces a lot of vectors for errors and security flaws.

Moreover, Linux Mint changes the desktop environment, which is like the most important component for your average user. All of the quality assurance and accessibility work that Ubuntu and others put into GNOME does not apply to Linux Mint’s Cinnamon. So on the contrary, you are not basically using Ubuntu. You are using Ubuntu with its most important component replaced. It’s the difference between getting a car from a trusted car manufacturer, or that same car, but some hobbyists changed the entire interior.

See also