There's still the data migration issue. If you follow unstable all the time, an app may update its data files or databases at startup. Then, you can still roll back the binaries, but they'll just refuse to work (best case) or corrupt the unknown data format (worst case).

Yes, it's worth having ~hourly snapshots of your machine, using something like: https://github.com/digint/btrbk

You can still roll-forward specific apps - use the up to date ones if you really need to.

Indeed.

As soon as lanzaboote works with stable, I'll go back to stable (but I think that is not the case yet, sadly).

Lowkey plug for lanzaboote though. Getting secure boot working went pretty well for me thanks to it.

Does Secure Boot with NixOS even make sense? In an ordinary Secure Boot setup, you get the kernel/initrd/etc. with signatures from a trusted vendor, but with NixOS it is going to obviously sign everything locally. That means that you are not protected against bootkits and a root compromise is still just as bad as ever.

I suppose in combination with LUKS you could at least prevent evil maid attacks, to the extent that your machine's firmware is actually secure, but it seems like a lot of work for just that...

To be honest, for me it boiled down to "I don't have to type in my LUKS password by hand" combined with some intellectual curiosity.

I didn't have some strong security-driven mindset behind it.

That said I did also lock down my BIOS with a password (to prevent disabling secure boot).

+1.

I'm keen for secure boot and TPM FDE, and would like to see lanzaboote in nixpkgs.

Following up on this, has anyone tried this and seen how well it works in practice?

“ Speedify, a proprietary VPN which allows combining multiple internet connections (Wi-Fi, 4G, 5G, Ethernet, Starlink, Satellite, and more) to improve the stability, speed, and security of online experiences. Available as services.speedify.”