On Thu, Feb 2, 2017 at 3:35 PM, james <gar...@verizon.net> wrote: > > I think that unikernels are something everyone should be aware of > as they purport to be the latest trend in securing all sorts of systems. > (a brief read). >
Not really for all sorts, more for servers. Otherwise I get it, and at this point now that I run almost everything in containers I tend to be more inclined to run different distros in those containers. > This is only the case because profiles are in general in a mess and there > are little in the way of conventions. What is so sacrosanct about upstream > for a truly embedded gentoo system or a gentoo based IoT device? Nothing, in that space. The problem is the new user experience. When somebody is new to Gentoo and not super-knowledgeable the first thing they're going to do is set up a desktop. Now, they might not call it a desktop. They might not even run X11 on it. But, they're basically falling into that desktop user experience where whatever they do install "just works" and is feature-complete. It is true that we also attract advanced users who are looking for something different. They have no issues getting any distro to dance for them, and they're picking Gentoo because it is best suited for their specific need. These users are much more likely to be interested in minimal configurations, embedded systems, the hardened profiles, and so on. However, the problem is that if we optimize mainly for the second group we basically lose the first group entirely, and I suspect that is overall going to be the bigger group. If what you want is a "unikernel profile" for Gentoo then you're going to be changing a LOT of assumptions. Forget openrc vs systemd, there is no reason to have any init implementation on the thing. Forget linux vs bsd, there is also no reason to have a kernel in a container. We don't need any editor because you're probably going to do any config file editing from outside of the container. And that @system set that has all that bootstrapping stuff is probably way overkill if all you ultimately need is a single package to work (and maybe not all of that package). Heck, your overall install approach also should be questioned. Rather than build your unikernel from inside its own container, you should be building from a more complete image and just installing the minimum RDEPENDs in the production container (as with catalyst or the chromiumos builds). And you probably wouldn't be upgrading such things in place either, you'd just be creating newer instances and cutting over from the old. I don't question that it would be great for Gentoo to support all of this stuff. I just think that we need to be careful not to destroy the experience of somebody who just wants a "typical" install in order to do it. Somebody who doesn't want to take the time to tweak how their java implementation works probably wants the default install to be something that meets the Oracle standard. Now, somebody who is into tailoring can look at their application and tweak the living daylights out of it, but that shouldn't be what you get when you run "emerge icedtea" or whatever. Sure, you could do all that with a profile, but the problem is: 1. Maintainers aren't going to necessarily invest in that profile. 2. New users won't necessarily use that new profile. And when those things doesn't happen users look at Gentoo as the OS that nothing works right on. -- Rich
