Distrobox changed the way I use Linux. I cannot imagine going back.

First, you are exactly right that it allows you to separate app repo from the rest of what you live about a distro.

I use an Arch Distrobox with every machine. Using Chimera Linux that uses MUSL, Clang, libc++, and BSD userland? Install anything from the Arch repos or AUR in seconds.

But it is not just package repo size. Using an app that targets RHEL? Install it from a RHEL Distrobox.

Doing dev for a project whose users are Ubuntu people? Build it in an Ubuntu Distrobox.

Want to try something and do not want it to mess up your system? Do it in a Distrobox.

Need some software for a class that will just be cluttering up your system after? Make a Distrobox for that class.

I have a .NET Distrobox. I have a Java Distrobox. Just not having to update the IDE and frameworks all the time is a huge win.

Mature application that I use every day that I do not want to change or break on me? Install from a Debian Distrobox.

Rapidly developing app where I want the latest for features and fixes? Install from an Arch Distrobox.

Tools you like that only Mint offers? Install a Mint Distrobox.

Distrobox is the greatest.

distrobox is pretty cool. I do not use it right now, but i have used it and it worked fine.

Is there anything obviously wrong or bad about the idea to just use whatever distro you like on bare metal.

no. go with anything that gives you recent-ish updates plus security stuff (most good distros satisfy both).

I run Fedora right now but want to switch to something else.

any reason why do you want to do that. just trying out or any problems. fedora to me seems like a nice distro already. If there is any problem, maybe we can help.

Theoretically you could download the .rpm file which quite a few developers provide on and install it on Tumbleweed too?

It can work, but most likely it will not. to put it simply - most linux packages are effectively very fancy zip files. they use different containers and different compression algorithms. some (for example arch packages) are just zip files (or tarballs to be precise), and metadata is to be handled by separate files downloaded by pacman, hence you would not see people packaging anything for arch (you dont have to do anything). some others (for example debian deb packages) are zip file contaiing 3 other zip files. one of them is the package it self, other being metadata stuff (which have information of requirements, file lists, etc.). RPM packages are similar.

While suse also uses the same rpm packaging format, there is no guarantee that package requirements are packaged same way in suse as fedora. If a package does not have many dependencies, it will likely work, but I would still not recommend it.

But nearly all of them are only installable by executing a script and I don’t feel comfortable doing that.

there is a reason for that. they want something that works across distros and setups. also this way, they know how and where they installed theemselves, and after installation, they can manage themselves.

but for these programs, I would not worry much (the ones you listed are big projects, and trusted, and you just do this once). but more importantly - these install scripts are often very simple. effectively they just download some file from server (something like github release) and then extract to some desired location. other things they do include specific setup quirks management. What I mean is that these are simple enough, that I recommend just downloading the script and reading it. if it is not downloading anything unknown, it is fine. if it is not very readable, then that is a bad sign.

But the question developed if it would be wise to use distrobox to execute random internet scripts without altering your base OS/putting your data to risk.

no. things can escape containers. just try to not run scripts.

I run a pretty barebone Archlinux with several distroboxes. My main motivation for this setup is that I work on a lot of different projects that all have very different setups. Running them in distroboxes make sure I can just drop the box, once the project is finished, and all code and data is just wiped, without having any impact on my main setup.

Just go CachyOS if you can’t be bothered with Arch proper. Running an insecure container layer that brings another whole distro so you can run an app is weird when flatpaks exist for this purpose, and are much better suited for this. Seems like you’re creating a “problem” that doesn’t exist and then coming up with the most complicated way to solve this made up “problem”.

This sounds a lot like the Universal Blue distros. They even have homebrew installed by default. If you’re already using Fedora it would be a pretty easy transition.

What software? I’ve never found the need for distrobox; any software usually has a package or tarball.

I switched from fedora to silverblue to now aeon (opensuse) and I use a tumbleweed and fedora distrobox. It’s almost exactly like silverblue.

Yes, you can choose any distro. But remember that a big part of a distro is the default software and settings. Choose one which fits your likings. I wouldn’t use debian or ubuntu. I like podman, selinux, etc. But anyone has different needs.

Since distrobox, the base distro matters less and less.

As a NixOS user, any drama that might be going on doesn’t affect my use of the software

Theoretically you could download the .rpm file which quite a few developers provide on and install it on Tumbleweed too? But I am not 100% sure about that so please correct me about that if I’m wrong.

Yeah that’s not going to work in the general case. A trivial RPM package might be fine but every additional dependency increases the chance that it depends on some package that OpenSUSE doesn’t know. There’s a reason OpenSUSE is usually considered an independent distro and not a “Fedora-based” one despite some shared components.

I don’t think security wise there’s much of a difference between running random software directly or via distrobox. Note that distrobox mounts your entire home directory into its containers, which removes any security benefit that containers could theoretically bring. In both cases you either need to audit the software yourself or you need to trust whoever you’re downloading the software from.

Out of the third party repositories you mentioned, I would personally consider Nixpkgs the most trustworthy because package specs are actually code reviewed, unlike the AUR into which anyone can publish packages with zero oversight. That doesn’t mean it’s impossible for Nixpkgs to end up with malware in it, but the AUR sets a low bar. Using Nix (not NixOS) is also not actually that hard, you can just run nix-env -iA nixpkgs.yazi and it does exactly what you would expect, even if NixOS users would scoff at the “imperativity”.

That being said, the OpenSUSE repositories really aren’t that bad. Especially if you combine them with Flatpak, and especially if you install Firefox and VLC (or equivalents of your choice) from Flatpak so you don’t need proprietary codecs in your base system. I used OpenSUSE Tumbleweed for years and got by just fine without Nix, homebrew or distrobox.